Is there a problem with the logic at reset.php?
As long as you guess the correct username, you can change the password without user permission.
Although the password cannot be guessed, the continuous modification will cause the user to be unable to log in.
I think there is still some impact.