There are three ways to reset an account's password.
These both send the user an email with a link they can use to set a new secure password. As with the user method, this does not invalidate the old password until the new one is set which means that if the user remembers their password they can carry on working.
If you have set the option to automatically delete non-activated accounts, and the user does not act on the email then the account may be deleted the prescribed number of days later.
This is linked to on the authentication point and at www.openathens.net:
When used an email is sent to the user with an activation link that will let them choose a new password. This does not disable the account and access will continue to work with the old password until a new one is set. Amongst other things, this approach prevents people resetting a friend's password and disabling their access 'for a laugh'.
The forgotten password page will not work for accounts that have never been activated.