That assumes you know that users personal information. Keeping email address private is a good way to prevent that, but even if someone did reset their password they can't use it without knowing that users email address login and if they know that then it doesn't matter what form of password resetting is used. Ideally in the future we'd like to improve this with a reset link as you're wanting and built in secret questions.