just throwing in my experience here. I've seen a few sites that actually had the password reset request send them a url that was formatted as:

example.com/password_reset?username=<username>

You could basically type that in and replace <username> with any username you wished and reset their password.

The sad part was how obscenely long it took them to close those holes (couple of weeks).