Why are one time password reset links safer than one time passwords?
Recently I applied for a job at a company creating
security-critical solutions for military, aerospace, ...
After registering at their webpage, I received an email with my username and a plaintext one-time password. My first reaction was to jump in horror at their incompetence, especially given that security should be their core competence, but after giving it a second thought, I realized that I am a new user and that nothing is at stake yet. But afterwards I see that their password reset feature actually sends a plaintext one-time password.
This got me thinking, is it really so bad to send a one-time password in plaintext? Especially when someone who claims to make a living out of security does so?
I was reading this highly upvoted answer saying that you should never send any passwords by e-mail. Instead if your user forgets his password, you should send them a one-time password reset link.
But what is the fundamental difference between a one-time password and a one-time link?
So far, I couldn't find any. The closest two clues I got are:
The highly upvoted answer mentions that:
Do all of this over SSL.
That is, send the one-time link over SSL. I do not understand this point at all. How can you send someone a one-time reset link (in email presumably) over SSL?
There was a comment by Anders under this question mentioning that a link will expire, but a one-time password will not. But again, I do not buy this. Passwords do expire if you want them to.
Furthermore, if the user has a username which is different from his email address, then a one-time password can be actually safer than a password reset link. Anybody can intercept the link, log in, and steal data, but if it is only the user who knows the username, then only he can use the one-time password.
You know how people dealing with information security react when they hear the words password and plaintext in the same sentence, right? If a one-time password reset link is just a one-time username+password, then this practice should be looked down upon even more, am I right?
All in all: Does sending one-time passwords over email in plaintext mean absolute incompetence?
