It would be useful to allow users to invalidate temporary password sent by "account details" feature from a second link within the same email. It's a common feature for many CMSes which doesn't seem to have any drawback.
Version: unspecified
Severity: enhancement