> Medium still isn't winning any security points here.
Sure they are. Removing a credential—in this case, passwords—is strictly more secure. It's the same rationale as to why 2FA with just a TOTP app is more secure than TOTP app + SMS backup. And the emailed links are analogous to password reset links so there's no erosion of security there, provided they're properly secured (one time use, time bounded, etc.).
Also, realistically, if they used passwords, many of their users would probably re-use the same email,password pair at other sites. If any of those other sites use bad password hashing hygiene AND get hacked, then the users' account security is busted.
Sure they are. Removing a credential—in this case, passwords—is strictly more secure. It's the same rationale as to why 2FA with just a TOTP app is more secure than TOTP app + SMS backup. And the emailed links are analogous to password reset links so there's no erosion of security there, provided they're properly secured (one time use, time bounded, etc.).
Also, realistically, if they used passwords, many of their users would probably re-use the same email,password pair at other sites. If any of those other sites use bad password hashing hygiene AND get hacked, then the users' account security is busted.