ESOUI - Password Reset should not be sending plaintext passwords!!!

Currently the password reset function does a couple things wrong:

a) It tells the user whether or not an email is registered (meaning an attacker could use the entry to find valid accounts). This can also be a privacy issue because if I know a target's email address, I can use your form to see if they have an account, and thus attach that to their identity.

b) More importantly, upon requesting a password reset, a new password is sent to the user in plaintext. The user is not required to change their password upon login - so this is super scary.

Proposed fixes:

a) Change password reset to something a bit more ambiguous ("If your account is registered with us, you'll receive an email shortly with a link to reset your password", or similar). If you couple this with proper handling on the backend (e.g. to avoid timing attacks), an attacker would not be able to guess valid accounts.

b) Change the password reset link in email to point to a password reset field, and change the password directly on the site. This keeps the data atleast partially encrypted in transit because they're sending their password data to you over HTTPS. Never, ever, ever, ever, ever, EVER send the user any account details over email (or ever display their password period).

If the forum software/site integration you're using doesn't have the ability to change password on-site, then a temporary password via email is *begrudgingly* acceptable, ONLY as long as you force them to change their password immediately before letting them do anything else.