I don’t have a problem with it assuming the password must be changed immediately.

This is just as secure as emailing a password reset link or a passcode.

Not much different than a link to change your password that had those two random values added as a query parameter (which is what the link you get effectively does). Uncommon way to do it, but no real difference in the security model. Good to see they have a way to expire the password and force you to reset it if they ever had a compromise (since they note it has less than 1 day’s validity). Another upside is that by having already changed your password to this new random value, your account should also be locked until the password is changed. That one’s a mixed bag. Could be nice to know someone tried, could be frustrating if someone uses this to mildly DoS your account.

No, it is not “insecure.” It aligns with OWASP guidance: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

When would it be problematic? It would be problematic if they sent your actual password in cleartext as part of the “reset.” This would show that they can access your password in plain text within their database, which is the worst way of storing passwords on servers. (Dedicated password hashing algorithms exist to securely store passwords.) What they provided you is a one-time password.

I used to work for a temp agency that did this. I contacted their IT multiple times regarding it. Their response was, as long as your email is secure the password is secure.