I don't get it. How is mistakenly giving a one-time login to a malicious actor worse than giving it a permanent login (aka your password) ?