Password Reset Security Checklist: 16-Item Guide

TL;DR

Secure password reset requires cryptographically random tokens, short expiration times (1 hour max), single-use tokens, rate limiting, and no information leakage about account existence. Always notify users when their password is reset and invalidate existing sessions. 6 critical items must be fixed before launch, 7 important items within the first week, and 3 recommended items when you can.

Quick Checklist (5 Critical Items)

Use cryptographically secure random tokensUse crypto.randomBytes() or equivalent, never predictable values

Make tokens single-useDelete or invalidate the token immediately after successful reset

Set short expiration timesTokens should expire within 1 hour, 15-30 minutes is better

::checklist-item{label="Do not reveal if email exists" description=""If an account exists, we sent instructions" for all requests"} ::

Rate limit reset requestsLimit requests per email and per IP to prevent abuse

Token Generation 4

Use cryptographically secure random tokensGenerate tokens using crypto.randomBytes() or equivalent. Never use predictable values like timestamps or sequential IDs. How to generate secure tokens

Use sufficient token entropyTokens should have at least 128 bits of randomness (32 hex characters or ~22 base64 characters). How to calculate token entropy

Hash tokens before storingStore a hash of the token in your database, not the raw token. If the database leaks, tokens are protected. How to hash reset tokens

Set short expiration timesTokens should expire within 1 hour. 15 to 30 minutes is better. Shorter windows reduce attack opportunity. How to configure token expiration

Request Handling 4

::checklist-item{label="Do not reveal if email exists" description="Always show the same message: "If an account exists, we sent instructions." Do not confirm or deny email existence. How to prevent account enumeration"} ::

Rate limit reset requestsLimit requests per email (e.g., 3 per hour) and per IP (e.g., 10 per hour) to prevent abuse. How to implement rate limiting

Log reset requestsRecord the email, IP address, and timestamp for all reset requests. Useful for detecting attacks. How to log security events

Invalidate previous reset tokensWhen a new reset is requested, invalidate any previous unused tokens for that account. How to invalidate old tokens

Reset Process 4

Make tokens single-useDelete or invalidate the token immediately after successful password reset. How to implement single-use tokens

Validate password strengthEnforce minimum password requirements on the new password. Check against common password lists. How to validate password strength

Invalidate all existing sessionsAfter password reset, log out all active sessions. The attacker should not retain access. How to invalidate all sessions

Require re-authentication for sensitive actionsEven after reset, require password or MFA confirmation before changing email or payment info. How to implement re-authentication

User Communication 4

Send email notification on reset requestNotify the user that a reset was requested. Include a link to contact support if it was not them. How to send reset notifications

Send email notification on password changeAlways notify users after their password is successfully changed. Include time and how to get help. How to notify on password change

Use secure email linksReset links should use HTTPS. Include the token in the URL path or query string, not in email body visible text. How to create secure email links

Include security guidance in emailsRemind users not to share the link, that links expire soon, and to report suspicious activity. How to write security email content

Common Password Reset Vulnerabilities

Password reset is one of the most attacked features in web applications. Common vulnerabilities include: predictable tokens, no rate limiting (enabling email bombing), account enumeration through different responses, tokens that never expire, and reusable tokens.

According to OWASP, broken authentication remains in the top 10 web application security risks. A secure password reset flow is essential for overall authentication security.

How long should password reset tokens be valid?

Password reset tokens should expire within 1 hour, with 15 to 30 minutes being more secure. Tokens should also be single-use, meaning they become invalid after a successful password reset.

Should I tell users if an email does not exist?

No. Always show the same message regardless of whether the email exists. Saying "email not found" lets attackers enumerate valid accounts. Say something like "If an account with this email exists, we have sent reset instructions."

Should I require the current password to reset?

For a "forgot password" flow, no. Users forgot their password, so they cannot provide it. For a "change password" feature (when logged in), yes, require the current password to prevent session hijacking attacks from changing the password.

TL;DR

Quick Checklist (5 Critical Items)

Token Generation 4

Request Handling 4

Reset Process 4

User Communication 4

Common Password Reset Vulnerabilities

How long should password reset tokens be valid?

Should I tell users if an email does not exist?

Should I require the current password to reset?

Related Articles

Authentication Security Checklist

How to Build Secure Password Reset

How to Rate Limit Authentication

Test Your Password Reset

Password Reset Security Checklist: 16-Item Guide