You're correct, I was a bit too fast reading your command.
My point here was, but it perhaps doesn't matter in your organization, that in most of "standard" companies, user password is not supposed to be stored elsewhere and not supposed to be known by anyone except user itself.
Thus process, when password is rest by help-desk service or an administrator, it to trigger "password change" control so that final password is different from the new one.
With your process, at least for what I understand, you will have either to set same value (new password) for all users (in such case any user can authenticate with any account) or store specific password for each user, then this file is clearly the weak point. Furthermore, at least till Zentyal 2.2, there is no trigger to enforce "password change".
Anyway, what matters is that what you design match your company's policies
my point was just from theoretical standpoint