This is definitely the desired behavior. Though I think we may want to use the users email address in the form, as opposed to their username, otherwise we'll potentially have user's spoofing each other with the form for fun.

I should add ... the link has a token in it. The token is user specific and expires after some amount of time that we specify.

The way this works currently is that an email is sent to the user with a link. Using this link they can reset their password. The system doesn't actually change the password to anything until the user explicitly sets it. We can chage this of course if needed.