May not be the most secure options ever, but you could have a workflow send the email (referencing the password field), and then blank the field after the email is sent.
You could hide the password field from the form based on status (such as "password sent") or you could use object permissions it to hide it once it's been used. A few ways to do it I think. Just make sure the field isn't audited.
This was one of the workarounds I was thinking of but I wasn't sure how to not show the email. I will give this a test.
@Vee: Thank you very much for your answer, it was the inspiration I needed
I decided to do without a workflow, because we often have problems with them failing (A separate issue) but I have managed a similar solution with just the quick action.
Step 1: Created a field of type Password to hold the password - this has the added advantage of enforcing the default password rules, so has to be 8 characters etc, and being encrypted in the database for an added layer of security above and beyond clearing it afterwards (I think)
Step 2: Created a quick action which prompts for the password, and also sends the email using log type of failure as you suggested - the email doesn't show up in the activity history thankfully (And I have yet to see a failure so am not worried about that)
Step 3: Just for completion I added a composite to the quick action to create a journal entry to say something like 'password reset, email not stored for security reasons' so that people know something has happened