I suppose you are encrypting the DMs at DB level using the nsec, and the app password is used to encrypt the nsec itself, right?
So a reset as you suggested should be ok, only take care to keep a fingerprint of the original nsec (ex. hash it) so the reset is validated against it.