[tatersolid]

> It's better than emailing passwords in plaintext

How exactly? The link is completely equivalent to the password from a security perspective. The whole system adds zero security over sending the password in clear text.

At $dayjob we have the help desk staff give initial passwords on a small card in person, and the system forces a change on first use.

For remote users the help desk uses a voice call, calling the user on a number provided by HR, and asking a few questions before giving the initial password.

This system is not uncommon and has been used by organizations for decades without being a commonly exploited vulnerability. It is more secure than pass.sh as it adds physical or at least weak verbal authentication. It is also much simpler, requiring no trusted third parties, and does not expose the secrets on the Internet at all.

[jc_sec]

Lol, its not equivalent because its a link that deletes itself automatically after X days and X views. In a scenario where an email/slack/etc account becomes compromised down the road a password sent in plaintext is immediately compromised where as a password shared with pass.sh has expired and is no longer a valid link.

If you cant understand the very basic security control there then I really can't help you. You sound like someone who has been stuck in IT too long.

You are kidding yourself if you think relying on over a support agent to verify identity is better than the solution here. Humans are inherently fallable as social engineering has proven time and again.