"safe" (or safer) autologin module

There's recently been some discussion about the autologin module and the "feature" it provides.

I'd like to examine ways to make it safer. So, we start with the stated use case:

Our client has requested to have a form created for a survey they’re running. One of the requirements was to have user-specific login details while the same time not requiring a traditional login by entering username and password into a form. Every respondent was to be emailed a link that would lead to the survey itself. After the survey is completed the user cannot retake it rendering the link itself useless.

Problems with the Autlogin module from a security perspective:

• Sends username and password in e-mail in clear text. This is not much worse than the standard registration mail from Drupal which does this.
• Puts username/password into URL - this is a bigger problem, in my opinion. While username and password are generally sent plain text - just as the URL parameters are - the POST data in an HTTP request is not generally stored along the way. URLs are often stored by proxy servers along the way. They are also stored by the web server log files (Apache access.log). This leaves the password available in two places.

Possible solutions

• Since this was a "one time" use situation, the site could change the user's password as soon as their session starts (or as soon as the form submits or something) so that anyone who attempts to use the password based on the proxy log or web server log would not be able to login.
• It could use a system similar to (or exactly the same as) the Drupal core one time login system. This uses a randomly generated token to let the user login and sends the token in the GET request instead of the username/password. It also immediately gets rid of the token (it is "one time) so that it cannot be re-used from the proxy/webserver log files.

Thoughts?