[{"data":1,"prerenderedAt":212},["ShallowReactive",2],{"blog-checklists/password-reset-checklist":3},{"id":4,"title":5,"body":6,"category":188,"date":189,"dateModified":189,"description":190,"draft":191,"extension":192,"faq":193,"featured":191,"headerVariant":197,"image":198,"keywords":198,"meta":199,"navigation":200,"ogDescription":201,"ogTitle":198,"path":202,"readTime":198,"schemaOrg":203,"schemaType":204,"seo":205,"sitemap":206,"stem":207,"tags":208,"twitterCard":210,"__hash__":211},"blog/blog/checklists/password-reset-checklist.md","Password Reset Security Checklist: 16-Item Guide",{"type":7,"value":8,"toc":182},"minimark",[9,16,19,22,46,64,81,99,118,123,126,129,151,170],[10,11,12],"tldr",{},[13,14,15],"p",{},"Secure password reset requires cryptographically random tokens, short expiration times (1 hour max), single-use tokens, rate limiting, and no information leakage about account existence. Always notify users when their password is reset and invalidate existing sessions. 6 critical items must be fixed before launch, 7 important items within the first week, and 3 recommended items when you can.",[13,17,18],{},"Password reset is one of those features that looks simple on the surface but has a surprisingly large attack surface. Attackers love targeting it because a broken reset flow is basically a free account takeover. Get the fundamentals right here and you eliminate one of the most common ways people lose control of their accounts.",[20,21],"print-button",{},[23,24,26,31,35,39,42],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Use crypto.randomBytes() or equivalent, never predictable values","Use cryptographically secure random tokens",[27,32],{"description":33,"label":34},"Delete or invalidate the token immediately after successful reset","Make tokens single-use",[27,36],{"description":37,"label":38},"Tokens should expire within 1 hour, 15-30 minutes is better","Set short expiration times",[13,40,41],{},"::checklist-item{label=\"Do not reveal if email exists\" description=\"\"If an account exists, we sent instructions\" for all requests\"}\n::",[27,43],{"description":44,"label":45},"Limit requests per email and per IP to prevent abuse","Rate limit reset requests",[23,47,50,53,57,61],{"title":48,"count":49},"Token Generation","4",[27,51],{"description":52,"label":30},"Generate tokens using crypto.randomBytes() or equivalent. Never use predictable values like timestamps or sequential IDs. How to generate secure tokens",[27,54],{"description":55,"label":56},"Tokens should have at least 128 bits of randomness (32 hex characters or ~22 base64 characters). How to calculate token entropy","Use sufficient token entropy",[27,58],{"description":59,"label":60},"Store a hash of the token in your database, not the raw token. If the database leaks, tokens are protected. How to hash reset tokens","Hash tokens before storing",[27,62],{"description":63,"label":38},"Tokens should expire within 1 hour. 15 to 30 minutes is better. Shorter windows reduce attack opportunity. How to configure token expiration",[23,65,67,70,73,77],{"title":66,"count":49},"Request Handling",[13,68,69],{},"::checklist-item{label=\"Do not reveal if email exists\" description=\"Always show the same message: \"If an account exists, we sent instructions.\" Do not confirm or deny email existence. How to prevent account enumeration\"}\n::",[27,71],{"description":72,"label":45},"Limit requests per email (e.g., 3 per hour) and per IP (e.g., 10 per hour) to prevent abuse. How to implement rate limiting",[27,74],{"description":75,"label":76},"Record the email, IP address, and timestamp for all reset requests. Useful for detecting attacks. How to log security events","Log reset requests",[27,78],{"description":79,"label":80},"When a new reset is requested, invalidate any previous unused tokens for that account. How to invalidate old tokens","Invalidate previous reset tokens",[23,82,84,87,91,95],{"title":83,"count":49},"Reset Process",[27,85],{"description":86,"label":34},"Delete or invalidate the token immediately after successful password reset. How to implement single-use tokens",[27,88],{"description":89,"label":90},"Enforce minimum password requirements on the new password. Check against common password lists. How to validate password strength","Validate password strength",[27,92],{"description":93,"label":94},"After password reset, log out all active sessions. The attacker should not retain access. How to invalidate all sessions","Invalidate all existing sessions",[27,96],{"description":97,"label":98},"Even after reset, require password or MFA confirmation before changing email or payment info. How to implement re-authentication","Require re-authentication for sensitive actions",[23,100,102,106,110,114],{"title":101,"count":49},"User Communication",[27,103],{"description":104,"label":105},"Notify the user that a reset was requested. Include a link to contact support if it was not them. How to send reset notifications","Send email notification on reset request",[27,107],{"description":108,"label":109},"Always notify users after their password is successfully changed. Include time and how to get help. How to notify on password change","Send email notification on password change",[27,111],{"description":112,"label":113},"Reset links should use HTTPS. Include the token in the URL path or query string, not in email body visible text. How to create secure email links","Use secure email links",[27,115],{"description":116,"label":117},"Remind users not to share the link, that links expire soon, and to report suspicious activity. How to write security email content","Include security guidance in emails",[119,120,122],"h2",{"id":121},"common-password-reset-vulnerabilities","Common Password Reset Vulnerabilities",[13,124,125],{},"Password reset is one of the most attacked features in web applications. Common vulnerabilities include: predictable tokens, no rate limiting (enabling email bombing), account enumeration through different responses, tokens that never expire, and reusable tokens.",[13,127,128],{},"According to OWASP, broken authentication remains in the top 10 web application security risks. A secure password reset flow is essential for overall authentication security.",[130,131,132,139,145],"faq-section",{},[133,134,136],"faq-item",{"question":135},"How long should password reset tokens be valid?",[13,137,138],{},"Password reset tokens should expire within 1 hour, with 15 to 30 minutes being more secure. Tokens should also be single-use, meaning they become invalid after a successful password reset.",[133,140,142],{"question":141},"Should I tell users if an email does not exist?",[13,143,144],{},"No. Always show the same message regardless of whether the email exists. Saying \"email not found\" lets attackers enumerate valid accounts. Say something like \"If an account with this email exists, we have sent reset instructions.\"",[133,146,148],{"question":147},"Should I require the current password to reset?",[13,149,150],{},"For a \"forgot password\" flow, no. Users forgot their password, so they cannot provide it. For a \"change password\" feature (when logged in), yes, require the current password to prevent session hijacking attacks from changing the password.",[152,153,154,160,165],"related-articles",{},[155,156],"related-card",{"description":157,"href":158,"title":159},"Complete auth security guide","/blog/checklists/authentication-security-checklist","Authentication Security Checklist",[155,161],{"description":162,"href":163,"title":164},"Step-by-step implementation","/blog/how-to/hash-passwords-securely","How to Build Secure Password Reset",[155,166],{"description":167,"href":168,"title":169},"Protect against brute force attacks","/blog/how-to/implement-rate-limiting","How to Rate Limit Authentication",[171,172,175,179],"cta-box",{"href":173,"label":174},"/","Start Free Scan",[119,176,178],{"id":177},"test-your-password-reset","Test Your Password Reset",[13,180,181],{},"Security scanning can help identify authentication vulnerabilities.",{"title":183,"searchDepth":184,"depth":184,"links":185},"",2,[186,187],{"id":121,"depth":184,"text":122},{"id":177,"depth":184,"text":178},"checklists","2026-02-02","Password reset security checklist. Implement secure token generation, expiration, rate limiting, and user notification to prevent account takeover attacks.",false,"md",[194,195],{"question":135,"answer":138},{"question":141,"answer":196},"No. Always show the same message regardless of whether the email exists. Saying 'email not found' lets attackers enumerate valid accounts. Say something like 'If an account with this email exists, we have sent reset instructions.'","green",null,{},true,"Build a secure password reset flow with this security checklist.","/blog/checklists/password-reset-checklist","[object Object]","HowTo",{"title":5,"description":190},{"loc":202},"blog/checklists/password-reset-checklist",[209],"Security Checklist","summary_large_image","QmXjs43T81PkuEi0-wlNg1Kw-FwLJS4ZJzCdE6YrhCQ",1775843930909]