[mmatants]

It's unacceptable to transmit in plain-text a password that the user specified.

But if it's a randomly-generated new nonce, seems OK as a pragmatic middle-ground. Folks like us, who care, will log in and change it.

[sunchild]

Probably a draw, as you say, since someone could get ahold of an authenticated link in your email, too.

[zck]

But usually, those links expire, or are only able to be used once. So the password the user creates is secure, and the period the attacker can use the captured link is only from the time the user requests the password reset until the time the user tries to use the reset, it doesn't work, and the user requests another reset.

When a user is sent a password via email, unless that user is required to change eir password upon entering it, it is inherently less secure than sending a link.