On sites with many users (> 100k), the procedure tends to time out, as it scans all records due to a missing index.
The best solution would be a dedicated table PasswordResetTokens.
As an easier fix, I suggest adding a filtered index on PasswordResetToken of users table (where passwordResetToken is not Null) and clearing all outdated and used tokens when possible, which keeps the index very small and fast.
Limitation: the system might no longer be able to identify and display, whether a token is just outdated or (not issues or already been used) - but IMO this is not necessary.
I volunteer to provide necessary SQL code, if accepted (should not require API changes)