Presumably this is to allow a user access to an account after they've
forgotten their password. It would be much safer to generate a new random
password for them and send that to the email address you have on file, not
one they specify when the password is requested. You could also disable the
account until they click a confirmation link in an email.