I was emailed by a customer, he wanted me to change his password to a new one that he gave me, he said that he thought that the old one had been compromised.
Fair enough, I thought, and went to do it. Then I stopped.
It's extremely easy to spoof the origin of an email. Think of a letter; on the back of the envelope, you'll often find the "from" address. That's so that the post office can return it if they can't deliver it. You can see how easy it would be to put a false return address on an envelope. Well, that's how easy it is to put a false "from" address on an email.
That means that I don't know that the email really did come from my customer.
Does it matter? Yes, it does! If I change it to the one that he suggested, then the sender of the email can keep trying the new password, once per day or so, until it works. And if the sender of the request wasn't actually my customer, then we have grief.
So what I did, was I changed the password to something else completely, and emailed my customer, at the address that he gave when he signed up with me, to give him the new password.
If it really was him that made the request, then he might be mildly annoyed that I didn't give him the password he asked for. If he emails me to complain, I'll explain why I did it.
If it wasn't him that made the request, then either he'll just accept the change as one of those things that sometimes just happens, or else (much less likely) he'll email me to ask why I changed it, and then I'll explain.
So. Maybe this request was kosher. But it does occur to me that this would be quite a good way to get unauthorised access to someone else's account. So here's the test you can make.
You have a password on a number of different sites; some unimportant, but some very important (such as Amazon, who also have your credit card on record, or your bank). If you email these sites and ask them to set your password to a value that you give them, and if they do it, then there's a problem, and (other than avoiding using that site in future) I don't see how you can solve it.