I've absolutely refused sketchy requests
Back when I provided support to folks in the medical field, I received an odd call one day that I almost performed the password reset for--but didn't quite pass the sniff test.
The user that had called in asked me to reset his password, I verified the user by having him provide all the requisite information (month/day of birth, last 4 of SSN, etc...) but during the conversation, it came up that he was annoyed about having to reset his password while he was on vacation on the opposite coast. I assumed that he probably needed access to his email or something, and when I asked him to pull up the login screen from his device so that I could read off the temporary password and make sure he was able to login and reset--I found out that he didn't have his laptop, or any corporate (or even personal) device capable of reaching the login page which required Citrix to be installed.
It was at that point, I was confused enough that I started asking follow-up questions while digging through the guy's previous tickets. The caller was a medical technician that had zero reason to log into anything remotely, since his job required direct contact with patients and a giant machine located at his work site. Upon investigation of the guy's previous tickets, I saw a previous call for a password reset and when I read the notes from the last agent that took the call, I saw the reason that nothing added up.
The guy's manager had called up pretending to be the user, and thankfully my colleague refused to reset the guy's password, and when that happened the caller then owned up to the fact that he was the manager in hopes he could demand the reset from a position of authority--which the other agent didn't, and had informed the guy that only the actual user could initiate a reset and be provided with a temporary password.
So, this guy's jerk of a boss decided that instead of following proper security protocols, and requesting access for each user that needed to perform this guy's job--that they'd all just use his credentials. Well, the guy apparently changed his password recently enough that the account got locked and when he called to reset the password, and we refused (because THAT was the right thing to do) he woke this poor guy up on his Honeymoon to annoy him with problems that weren't his--on top of that, the time he called was early morning 8:00 AM eastern time so the user on the opposite coast was being harassed at 5:00 AM with the time zone difference!
After learning the truth about the whole situation, and confirming with management that if it didn't feel right to do it, that I shouldn't--and that they would back me when this guy complained. I told the user that given the circumstances, I can't knowingly reset his password when I know that it was being done to circumvent the security policy, and told him that his manager could suck it up and request access for himself or another user and we'd be happy to expedite it--but we wouldn't be resetting his password before he returned from his trip. I even made sure to reset the guys password to something random (that I made sure I couldn't remember and didn't write it down anywhere) and re-locked his account to make sure nobody could login. Made sure to leave notes for the next agent if the boss tried again, and instructed them not to do it either.
I made sure to congratulate the guy on his nuptials, and told him to enjoy the rest of his vacation, because he was under no obligation to put up with his manager's nonsense, and that if his boss persisted, that he could instruct him to contact the Help Desk for assistance requesting his own access, and an in depth explanation of the security policy. When I told the caller that if someone screwed up, or did something shady while logged into his account, that he was the one liable--at which point he thanked me, and went on his merry way.
Technically, the corporate policy said that I needed to reset that user's password, because he was able to verify his identity as the correct user--but I just couldn't do it in good conscience, because I didn't want to be the one in front of the firing squad if that manager did something stupid and I knowingly enabled it. Sure the employee would probably be the one fired for giving his credentials to his manager, but he was following orders, and I knew it was wrong--even if he didn't.