I'm not sure if I can totally agree with the author. I understand his pain, but email isn't the most secured place. If your email is being "watched" by someone else, then that someone else can access other web services that you own WITHOUT requiring to type passwords! I know that it is very rare to have your email being watched, but in security, even the most rare case should be taken into consideration. It's a trade off between user experience and security. This is something you find very often in software engineering.
> If your email is being "watched" by someone else, then that someone else can access other web services that you own WITHOUT requiring to type passwords!
The person watching your email can ALREADY DO THAT NOW by clicking on the "I forgot my password" link, intercepting the reset email, and then setting a new password and logging in.
That assumes someone has live access to your email. If someone has a recent enough dump (or simply a mail you forwarded yourself, because you didn't understand the security implications), then the "forgot password" button does really provide more security than login tokens inside the URL.
