Checked logs, nothing unusual.

Any person, so long as they know the associate email, can request a new password even if it is not their account.

Would second the Keepass suggestion for those who want secure passwords and have a hard time remembering them.
I personally...