[michaelmior]

> Imagine if a user has their email account hacked - the first thing an attacker will do is try to compromise their other online accounts, and long-lived password reset links make this easy.

I don't see how the length of time the reset link is valid really has any bearing here. I'm assuming the implication is that an attack could search for old password reset emails but if they have access to the email account, why not just request another reset?

[malcolmhere]

Well spotted - I kind of mangled that explanation. The risk being mitigated is if somebody gets a dump of your old emails. Short-lived reset tokens don't help if they have full access to you email account.

[garrettgrimsley]

Some resets force you to answer a security question before it will send a reset link.