Say, someone gets a dump of my users table (doesn't need to be Lift's fault, can be a bad database configuration), then all the passwords in there are salted and hashed and so the attacker has no realistic chance of recovering any of the passwords therein. Also, some intern who might have read access to the database cannot see the password.
However, the uniqueID allows to silently reset the password by visiting the URL
That is, even though the passwords cannot be recovered by an attacker, they can be reset to an arbitrary value (which is bad enough for, say, online banking). If I noticed that someone got access to my database, I can simply say "UPDATE users SET uniqueId=..." and get rid of that problem, but until I notice, the attacker is free to take over any account in the database.
The timeout's a good idea. Not sure if the hashing of the reset key secures us against much, but I'll think on it, as I may be wrong about that.