Authentication

Secure Password Reset Flow with AI Prompts

February 2026

TL;DR

Password reset is a common attack vector. Use cryptographically random tokens, short expiration times, single-use tokens, and don't reveal if emails exist. These prompts help you build a reset flow that doesn't compromise account security.

Secure Reset Token Generation

Copy this prompt to generate a secure password reset token system. Your AI will produce cryptographically random token generation, hashed database storage, expiration handling, and single-use enforcement.

AI Prompt

Generate Reset Tokens

Implement secure password reset token generation.

Requirements:

  1. Generate cryptographically random token (32+ bytes)
  2. Store hashed token in database (not plain text)
  3. Set expiration time (1 hour maximum)
  4. Associate token with user ID
  5. Single-use: invalidate after use

Token storage:

  • password_reset_tokens table
  • user_id, token_hash, expires_at, used_at
  • Index on token_hash for fast lookup

Generate URL: /reset-password?token={token}

Security checks:

  • Token exists and not expired
  • Token not already used
  • Hash comparison for lookup
  • Delete or mark used after successful reset

Prevent Account Enumeration

Use this prompt to build a password reset request endpoint that never reveals whether an account exists. Your AI will generate consistent response messages, timing-safe handling, and rate limiting for both existing and non-existing emails.

AI Prompt

Safe Reset Request

Implement password reset request without revealing account existence.

When user submits email:

  1. Always show same success message
  2. Always take same amount of time
  3. Send email only if account exists
  4. Log attempt regardless of result

Response message (always): "If an account exists with this email, you will receive reset instructions."

Implementation:

  • Look up user by email
  • If exists: generate token, send email
  • If not exists: do nothing, but same response time
  • Add artificial delay to match email sending time

Rate limiting:

  • Max 3 reset requests per email per hour
  • Max 10 reset requests per IP per hour
  • Apply rate limit even for non-existent emails

Never confirm email existence: Messages like "No account found with this email" let attackers enumerate valid accounts. Always use the same response regardless of whether the email exists.

Reset Completion Flow

This prompt asks your AI to implement the full password reset completion flow. You'll get token validation, password strength checking, secure hashing, session invalidation across all devices, and a confirmation email trigger.

AI Prompt

Complete Password Reset

Implement the password reset completion securely.

When user clicks reset link:

  1. Validate token (exists, not expired, not used)
  2. Show password reset form
  3. Validate new password strength
  4. Hash new password properly
  5. Update user's password
  6. Invalidate the reset token
  7. Invalidate all existing sessions
  8. Send confirmation email
  9. Redirect to login

Password requirements:

  • Minimum 8 characters
  • Not in common password list
  • Not same as email/username

After reset:

  • Log the password change event
  • Notify user via email
  • Clear all "remember me" tokens
  • Require fresh login everywhere

Reset Email Security

Copy this prompt to generate a secure password reset email template. Your AI will create an email with proper security warnings, one-time HTTPS links, expiration notices, and no leaked account details.

AI Prompt

Secure Reset Email

Create a secure password reset email template.

Email should include:

  1. Clear subject: "Password Reset Request"
  2. Greeting with user's name (not email)
  3. Reset link (HTTPS only)
  4. Expiration time clearly stated
  5. Warning if user didn't request this
  6. Link to report suspicious activity

Security considerations:

  • Don't include the email address in the email
  • Don't include any account details
  • Make reset link one-time use
  • Include request metadata (time, IP) for user reference

Sample text: "You requested a password reset. Click below to reset your password. This link expires in 1 hour. If you didn't request this, please ignore this email or contact support if you're concerned."

Pro tip: Consider adding a security question or requiring email confirmation of the reset request for high-value accounts to prevent email-based account takeover.

How long should reset tokens be valid?

1 hour is a good balance. Long enough for users to check email, short enough to limit attack window. Some apps use 15-30 minutes for higher security.

Should I invalidate all sessions on password reset?

Yes. If someone's password was compromised, attackers might have active sessions. Force logout everywhere and require re-authentication with the new password.

Further Reading

Want to understand the vulnerability before fixing it? These guides explain what's happening and why.

Related Articles

Add Password Hashing

Secure password storage

Secure Login Flow

Complete login security

Check Your Reset Flow

Scan your password reset for security issues.

AI Fix Prompts

Secure Password Reset Flow with AI Prompts