This method of password retrieval relies on the assumption that only the legitimate owner of the account has access to the inbox for that particular email address.
The process is often initiated by the user clicking on a forgotten password link on the website where, after entering their username or email address, the password notification email would be automatically sent to the inbox of the account holder.
The new password or the URL often contain a randomly generated string of text that can only be obtained by reading that particular email.
The main issue is that the contents of the password notification email can be easily discovered by anyone with access to the inbox of the account owner.
The user would therefore have the responsibility of either securely deleting the email or ensuring that its contents are not revealed to anyone else.