I just went through the Password Reset process and noticed the page that was asking me to input a new password was served over HTTP. I edited the url to try HTTPS, saw it worked, and proceeded. To avoid such issues, it would be nice if it just defaulted to HTTPS.
Looks like our hosting service (https://www.discoursehosting.com) has silently added support for HTTPS, so I’ve changed all links. Thanks!