[ajanuary]

When implemented correctly, password reset links

a) Work once. If you click on a password reset link and it says it's already been used, you know something is up, v.s. someone using the plaintext password to log in before you and you are non the wiser.

b) Expire. Lot's of people won't bother changing the password that was given to them, so anyone who comes across a plaintext password in the email at a later date would be able to log in.

[NeutronBoy]

Both of these things can be true with temporary plaintext passwords.

[tripzilch]

> Both of these things can be true with temporary plaintext passwords.

In that sense, a password reset link is equivalent to a temporary plaintext password.

Except it's got better usability, being a link that you can click on.

[ajanuary]

Temporary plaintext passwords are rare; I don't think I've ever seen one. If you've got as far as temporary plaintext passwords, I'd argue it's a better UX to provide a simple link instead of forcing them to copy and paste something.