But is it that much harder to provide a unique and expiring reset link in the email instead of sending a new password?