The password reminder (as I used it yesterday) doesn't set a new password. It sends current password in an email.

If the passwords were encrypted, as they should be, then the current password reminder function would not be possible.

If a password reset ability is provided to unauthenticated users (those who have forgotten their passwords can't authenticate) this function can be abused to interfere with legitimate access. Any unauthenticated user can request a password reset for any other user, as long as they know whatever is used to specify the account (typically a login ID or email address).

This risk can be mitigated by having the password reset function set a new additional password if the user is unauthenticated, without invalidating the current password. Only if the user is currently authenticated should the password reset function invalidate previous passwords. This presumes an authentication system that supports multiple concurrent passwords.

Security can be improved by setting a short expiry and limiting the number of uses of the password set by the password reset function available to unauthenticated users.

If the new passwords are distributed by email, then the user accounts are only as secure as the email delivery system. Ideally, the system would support but not require encrypted email for new password distribution.