Just to continue the discussion... resetting passwords is not only pretty standard, but much preferred. If you retrieve a password for the wrong user, you give the hacker free reign on the account. If you reset a password for the wrong user, the real user knows as soon as they try to log in... often to late, but better late than never.
The downside, of course there's always a downside, is when you're using the password as the encryption key for other data... the data will be lost. It's still a great method if the data is really confendential, but just make sure to put a big disclaimer somewhere, people get peeved otherwise.
-Rob