But usually, those links expire, or are only able to be used once. So the password the user creates is secure, and the period the attacker can use the captured link is only from the time the user requests the password reset until the time the user tries to use the reset, it doesn't work, and the user requests another reset.
When a user is sent a password via email, unless that user is required to change eir password upon entering it, it is inherently less secure than sending a link.
zck|14 years ago
When a user is sent a password via email, unless that user is required to change eir password upon entering it, it is inherently less secure than sending a link.