If you hit "reset password" it just sends a reset password to the user without confirming the user's identity in any way. Especially on the Liferay site, where everyone's email is email@example.com, there is a lot of potential for abuse if someone knows peoples' email addresses. Passwords can be arbitrarily reset.
The way most other sites do it now is by emailing a link to users who "forget their passwords" that sends them a form that expires within 24 hours. There, they can hit a button to reset the password, or even change the password directly. If they did not request the password change, they can simply ignore the email.