A better method is to send a special link to a user who requested to reset their password. After clicking on that link they can change it and log-in. That makes it such that the user is the only one that can trigger the reset.
The worst a third party can do is trigger an email (simply note in the email that if you did not request the email to ignore it and that your account is still safe).
The worst a third party can do is trigger an email (simply note in the email that if you did not request the email to ignore it and that your account is still safe).
This is a common technique.