The added security comes through how the new "plaintext password" is randomly generated (so you don't have to worry about users picking bad passwords).
~~Although it seems PATs are ~42 bits, which seems a little low~~
I didn't even know access tokens were a thing until just right now. In my reading about them, I found this, which has a screenshot, which suggests the token has ~40 hex digits. Assuming they're independent and random, that yields ~160 bits. Where are you seeing 42?
~~Although it seems PATs are ~42 bits, which seems a little low~~