[sunchild]

And what percentage would – like me – delete their account as soon as you send them a plaintext temp password?

You're living in the past if you think this is an acceptable practice. I don't care how trivial your web service is, if you're throwing my password around willy-nilly, I don't want you.

[rudiger]

To answer your question, probably less than 1%.

I like the practice of emailing a link to a page where the user can set their password for the first time.

[mmatants]

It's unacceptable to transmit in plain-text a password that the user specified.

But if it's a randomly-generated new nonce, seems OK as a pragmatic middle-ground. Folks like us, who care, will log in and change it.

[sunchild]

Probably a draw, as you say, since someone could get ahold of an authenticated link in your email, too.

[zck]

But usually, those links expire, or are only able to be used once. So the password the user creates is secure, and the period the attacker can use the captured link is only from the time the user requests the password reset until the time the user tries to use the reset, it doesn't work, and the user requests another reset.

When a user is sent a password via email, unless that user is required to change eir password upon entering it, it is inherently less secure than sending a link.

[powertower]

This isn't an attack for the downvote. But if you're the type of customer that flips out over getting your temp password in the mail to a blank account, I don't want you. As the troubles are only starting...

[natrius]

Google Apps sends plaintext temporary passwords.

[sunchild]

Only if you (admin user) ask it to. Still a bad practice. Also, the premise is that Google trusts itself as an email provider.