Password resets have always been an issue with Drupal 7.
Normally the password reset link goes to a landing page telling you to change you password, then it directs to the user account edit page and doesn’t force the user to change their password. So what happens is they never end up changing their password to something they’ll remember and they keep requesting a new password reset link. This module replaces that landing page with the password reset form:
The other issue is that once user’s log in through the password reset link, they still don’t know their current password, so they can’t change it. That defeats the whole purpose of the password reset link. This module removes the requirement to know the current password:
The modules can be used together or separately. If I were to choose one, I’d go with the Password Reset Landing Page module. The No Current Password module gets around a security “feature” in Drupal 7 that requires a user to enter their password to make changes to the account’s email or password. In cases where someone may leave their account logged in at a public place or shared computer, it prevents someone from locking the user out of their account.