TL;DR
Password reset is a common attack vector. Use cryptographically random tokens, short expiration times, single-use tokens, and don't reveal if emails exist. These prompts help you build a reset flow that doesn't compromise account security.
Secure Reset Token Generation
Implement secure password reset token generation.
Requirements:
- Generate cryptographically random token (32+ bytes)
- Store hashed token in database (not plain text)
- Set expiration time (1 hour maximum)
- Associate token with user ID
- Single-use: invalidate after use
Token storage:
- password_reset_tokens table
- user_id, token_hash, expires_at, used_at
- Index on token_hash for fast lookup
Generate URL: /reset-password?token={token}
Security checks:
- Token exists and not expired
- Token not already used
- Hash comparison for lookup
- Delete or mark used after successful reset
Prevent Account Enumeration
Implement password reset request without revealing account existence.
When user submits email:
- Always show same success message
- Always take same amount of time
- Send email only if account exists
- Log attempt regardless of result
Response message (always): "If an account exists with this email, you will receive reset instructions."
Implementation:
- Look up user by email
- If exists: generate token, send email
- If not exists: do nothing, but same response time
- Add artificial delay to match email sending time
Rate limiting:
- Max 3 reset requests per email per hour
- Max 10 reset requests per IP per hour
- Apply rate limit even for non-existent emails
Never confirm email existence: Messages like "No account found with this email" let attackers enumerate valid accounts. Always use the same response regardless of whether the email exists.
Reset Completion Flow
Implement the password reset completion securely.
When user clicks reset link:
- Validate token (exists, not expired, not used)
- Show password reset form
- Validate new password strength
- Hash new password properly
- Update user's password
- Invalidate the reset token
- Invalidate all existing sessions
- Send confirmation email
- Redirect to login
Password requirements:
- Minimum 8 characters
- Not in common password list
- Not same as email/username
After reset:
- Log the password change event
- Notify user via email
- Clear all "remember me" tokens
- Require fresh login everywhere
Reset Email Security
Create a secure password reset email template.
Email should include:
- Clear subject: "Password Reset Request"
- Greeting with user's name (not email)
- Reset link (HTTPS only)
- Expiration time clearly stated
- Warning if user didn't request this
- Link to report suspicious activity
Security considerations:
- Don't include the email address in the email
- Don't include any account details
- Make reset link one-time use
- Include request metadata (time, IP) for user reference
Sample text: "You requested a password reset. Click below to reset your password. This link expires in 1 hour. If you didn't request this, please ignore this email or contact support if you're concerned."
Pro tip: Consider adding a security question or requiring email confirmation of the reset request for high-value accounts to prevent email-based account takeover.
How long should reset tokens be valid?
1 hour is a good balance. Long enough for users to check email, short enough to limit attack window. Some apps use 15-30 minutes for higher security.
Should I invalidate all sessions on password reset?
Yes. If someone's password was compromised, attackers might have active sessions. Force logout everywhere and require re-authentication with the new password.