The current password reset feature emails a new password (which should be changed) in plaintext to the email address of record for an account. This allows for man in the middle sniffing of the password since email is a plaintext feature that is not guaranteed to pass entirely through TLS/SSL connections.

The safer practice is to email a reset link to the end user, and this is the practice that is typically used by most modern password-protected systems.