In my experience it’s always a tokenized link, no clear text required.
It’s painless to use password resets
Ya and have they send you the (one-time) password in plaintext
oleorun@real.lemmy.fan 8 months ago
nous@programming.dev 8 months ago
Well, the tokenized link is essentially a clear text one time password. Not really any better than just a one time password except for the convenience that the user does not need to type it in. If someone gets hold of the link or password before you they can get access to your account.
lowleveldata@programming.dev 8 months ago
I don’t see how’s either way better or worse as long as they force you to change the password upon login
fireflash38@lemmy.world 8 months ago
And what is the token in the link?
exal@lemmy.ca 8 months ago
You make it sound like an irrelevant detail, but that’s kind of the key part. If implemented properly, it’s only valid once and for a short period of time, which greatly reduces risk.
lowleveldata@programming.dev 8 months ago
Sure. I just want to point out that there is valid case when passwords are sent in clear text.