There are three ways to reset an account's password.

Administrator methods

Send an activation email (recommended)

These both send the user an email with a link they can use to set a new secure password.

As with the user method below, this does not invalidate the old password until the new one is set which means that if the user remembers their password they can carry on working until they check their email and act on it. 

Set a new password manually

User method

Forgotten password page

This is linked to on the authentication point and at

When used an email is sent to the user with an activation link that will let them choose a new password. This does not disable the account and access will continue to work with the old password until a new one is set. Amongst other things, this approach prevents people resetting a friend's password and disabling their access 'for a laugh'.

The forgotten password page will not work for accounts that have never been activated.