Thinking about it some more. Is the only practical exploit of this the case where a rogue sysadmin wants to figure out user passwords (without resetting the password and therefore alerting the user)?