The "/resetpw" page:

The URL format must be like this:

/resetpw/UID-TIMESTAMP-HASH

Where UID is the uid of the user whose password is to be reset, TIMESTAMP is the unix timestamp when the request was made, and HASH is a hash based on UID, TIMESTAMP, and other information that is unavailable to an attacher.

With no other arguments, a form is present which allows the user to enter a new password. When the SUBMIT button is pressed, a POST request back to the same URL that will change the password.