Sorry if this was asked or brought up before. I sent an e-mail about it, but this looks to maybe be a better avenue to report this sort of thing.
Recently, I've had to reset my password, having forgotten it. In the process of doing so through the usual method, I discovered that, instead of being sent a reset link, I was given my username and a new, randomly-generated password to use to log in again via e-mail. Basically, requesting for my password to be reset actually reset it before I could log in to change it.
This approach to password resetting is considered to be a security vulnerability for two reasons: (1) it enables attackers to inflict a form of denial of service attack simply by putting in a known user's e-mail address and have his/her password to be changed without his/her permission (mainly a mere inconvenience, to be sure, but there's no reason a Joe Shmoe should be able to tell the server to change someone else's password on a whim), and (2) sending a password over e-mail is risky business, assuming the e-mail's sent to the end user unencrypted over an insecure connection.
I was wondering if you considered changing the system to use links with randomized, temporary reset tokens to allow users to change their password themselves. This is considered to be significantly more secure.