A password can usually be changed if compromised, and a password system usually contains measures to prevent brute-forcing; like cooldown times and a lockout after three guesses for example.
If you build those same measures into your URL then they have the same level of security; plus you can make your URL key a lot longer than would be comfortable for a password.
If you build those same measures into your URL then they have the same level of security; plus you can make your URL key a lot longer than would be comfortable for a password.