|
|
|
|
|
|
by tyzoid
770 days ago
|
|
|
The difference is usually time - your actual password sitting in plaintext in your inbox vs a code that's only valid for 10min-24h. In my opinion, it's marginally more likely for a full point-in-time comprimise of an email account. A credential that has already expired is less useful than one still valid. Granted, if an attacker can trigger a password reset and also have persistant access to an inbox, there's still an issue there, but it's at least less bad. |
|
|