If you are not using LDAP external authentication then you can allow users to request an email to be sent to them with a link to a page that allows them to set a new password. By default only a user with privileges to edit users will be able to change a user's password.
To enable this feature, go to System settings and then choose the User limits option. Change the Forgotten password request link e-mail setting to yes and then select the Save button.
There is also a legacy setting Forgotten password web reset which allows a user to set a new password providing they can supply two separate pieces of personal information. It is strongly advised not to use this setting as it is too easy for intruders to find out or guess this information and then take over a user account. It is likely that it will be removed in a future release.