[{"data":1,"prerenderedAt":404},["ShallowReactive",2],{"blog-prompts/secure-password-reset":3},{"id":4,"title":5,"body":6,"category":383,"date":384,"dateModified":385,"description":386,"draft":387,"extension":388,"faq":389,"featured":387,"headerVariant":390,"image":389,"keywords":389,"meta":391,"navigation":392,"ogDescription":393,"ogTitle":389,"path":394,"readTime":389,"schemaOrg":395,"schemaType":396,"seo":397,"sitemap":398,"stem":399,"tags":400,"twitterCard":402,"__hash__":403},"blog/blog/prompts/secure-password-reset.md","Secure Password Reset Flow with AI Prompts",{"type":7,"value":8,"toc":373},"minimark",[9,16,21,24,88,92,95,152,162,166,169,238,242,245,294,303,319,323,326,347,361],[10,11,12],"tldr",{},[13,14,15],"p",{},"Password reset is a common attack vector. Use cryptographically random tokens, short expiration times, single-use tokens, and don't reveal if emails exist. These prompts help you build a reset flow that doesn't compromise account security.",[17,18,20],"h2",{"id":19},"secure-reset-token-generation","Secure Reset Token Generation",[13,22,23],{},"Copy this prompt to generate a secure password reset token system. Your AI will produce cryptographically random token generation, hashed database storage, expiration handling, and single-use enforcement.",[25,26,28,31,34,53,56,68,71,74],"prompt-box",{"title":27},"Generate Reset Tokens",[13,29,30],{},"Implement secure password reset token generation.",[13,32,33],{},"Requirements:",[35,36,37,41,44,47,50],"ol",{},[38,39,40],"li",{},"Generate cryptographically random token (32+ bytes)",[38,42,43],{},"Store hashed token in database (not plain text)",[38,45,46],{},"Set expiration time (1 hour maximum)",[38,48,49],{},"Associate token with user ID",[38,51,52],{},"Single-use: invalidate after use",[13,54,55],{},"Token storage:",[57,58,59,62,65],"ul",{},[38,60,61],{},"password_reset_tokens table",[38,63,64],{},"user_id, token_hash, expires_at, used_at",[38,66,67],{},"Index on token_hash for fast lookup",[13,69,70],{},"Generate URL: /reset-password?token={token}",[13,72,73],{},"Security checks:",[57,75,76,79,82,85],{},[38,77,78],{},"Token exists and not expired",[38,80,81],{},"Token not already used",[38,83,84],{},"Hash comparison for lookup",[38,86,87],{},"Delete or mark used after successful reset",[17,89,91],{"id":90},"prevent-account-enumeration","Prevent Account Enumeration",[13,93,94],{},"Use this prompt to build a password reset request endpoint that never reveals whether an account exists. Your AI will generate consistent response messages, timing-safe handling, and rate limiting for both existing and non-existing emails.",[25,96,98,101,104,118,121,124,138,141],{"title":97},"Safe Reset Request",[13,99,100],{},"Implement password reset request without revealing account existence.",[13,102,103],{},"When user submits email:",[35,105,106,109,112,115],{},[38,107,108],{},"Always show same success message",[38,110,111],{},"Always take same amount of time",[38,113,114],{},"Send email only if account exists",[38,116,117],{},"Log attempt regardless of result",[13,119,120],{},"Response message (always):\n\"If an account exists with this email, you will receive reset instructions.\"",[13,122,123],{},"Implementation:",[57,125,126,129,132,135],{},[38,127,128],{},"Look up user by email",[38,130,131],{},"If exists: generate token, send email",[38,133,134],{},"If not exists: do nothing, but same response time",[38,136,137],{},"Add artificial delay to match email sending time",[13,139,140],{},"Rate limiting:",[57,142,143,146,149],{},[38,144,145],{},"Max 3 reset requests per email per hour",[38,147,148],{},"Max 10 reset requests per IP per hour",[38,150,151],{},"Apply rate limit even for non-existent emails",[153,154,155],"warning-box",{},[13,156,157,161],{},[158,159,160],"strong",{},"Never confirm email existence:"," Messages like \"No account found with this email\" let attackers enumerate valid accounts. Always use the same response regardless of whether the email exists.",[17,163,165],{"id":164},"reset-completion-flow","Reset Completion Flow",[13,167,168],{},"This prompt asks your AI to implement the full password reset completion flow. You'll get token validation, password strength checking, secure hashing, session invalidation across all devices, and a confirmation email trigger.",[25,170,172,175,178,207,210,221,224],{"title":171},"Complete Password Reset",[13,173,174],{},"Implement the password reset completion securely.",[13,176,177],{},"When user clicks reset link:",[35,179,180,183,186,189,192,195,198,201,204],{},[38,181,182],{},"Validate token (exists, not expired, not used)",[38,184,185],{},"Show password reset form",[38,187,188],{},"Validate new password strength",[38,190,191],{},"Hash new password properly",[38,193,194],{},"Update user's password",[38,196,197],{},"Invalidate the reset token",[38,199,200],{},"Invalidate all existing sessions",[38,202,203],{},"Send confirmation email",[38,205,206],{},"Redirect to login",[13,208,209],{},"Password requirements:",[57,211,212,215,218],{},[38,213,214],{},"Minimum 8 characters",[38,216,217],{},"Not in common password list",[38,219,220],{},"Not same as email/username",[13,222,223],{},"After reset:",[57,225,226,229,232,235],{},[38,227,228],{},"Log the password change event",[38,230,231],{},"Notify user via email",[38,233,234],{},"Clear all \"remember me\" tokens",[38,236,237],{},"Require fresh login everywhere",[17,239,241],{"id":240},"reset-email-security","Reset Email Security",[13,243,244],{},"Copy this prompt to generate a secure password reset email template. Your AI will create an email with proper security warnings, one-time HTTPS links, expiration notices, and no leaked account details.",[25,246,248,251,254,274,277,291],{"title":247},"Secure Reset Email",[13,249,250],{},"Create a secure password reset email template.",[13,252,253],{},"Email should include:",[35,255,256,259,262,265,268,271],{},[38,257,258],{},"Clear subject: \"Password Reset Request\"",[38,260,261],{},"Greeting with user's name (not email)",[38,263,264],{},"Reset link (HTTPS only)",[38,266,267],{},"Expiration time clearly stated",[38,269,270],{},"Warning if user didn't request this",[38,272,273],{},"Link to report suspicious activity",[13,275,276],{},"Security considerations:",[57,278,279,282,285,288],{},[38,280,281],{},"Don't include the email address in the email",[38,283,284],{},"Don't include any account details",[38,286,287],{},"Make reset link one-time use",[38,289,290],{},"Include request metadata (time, IP) for user reference",[13,292,293],{},"Sample text:\n\"You requested a password reset. Click below to reset your password. This link expires in 1 hour. If you didn't request this, please ignore this email or contact support if you're concerned.\"",[295,296,297],"tip-box",{},[13,298,299,302],{},[158,300,301],{},"Pro tip:"," Consider adding a security question or requiring email confirmation of the reset request for high-value accounts to prevent email-based account takeover.",[304,305,306,313],"faq-section",{},[307,308,310],"faq-item",{"question":309},"How long should reset tokens be valid?",[13,311,312],{},"1 hour is a good balance. Long enough for users to check email, short enough to limit attack window. Some apps use 15-30 minutes for higher security.",[307,314,316],{"question":315},"Should I invalidate all sessions on password reset?",[13,317,318],{},"Yes. If someone's password was compromised, attackers might have active sessions. Force logout everywhere and require re-authentication with the new password.",[17,320,322],{"id":321},"further-reading","Further Reading",[13,324,325],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[57,327,328,335,341],{},[38,329,330],{},[331,332,334],"a",{"href":333},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[38,336,337],{},[331,338,340],{"href":339},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[38,342,343],{},[331,344,346],{"href":345},"/blog/best-practices/secrets","Secret management best practices",[348,349,350,356],"related-articles",{},[351,352],"related-card",{"description":353,"href":354,"title":355},"Secure password storage","/blog/prompts/add-password-hashing","Add Password Hashing",[351,357],{"description":358,"href":359,"title":360},"Complete login security","/blog/prompts/secure-login-flow","Secure Login Flow",[362,363,366,370],"cta-box",{"href":364,"label":365},"/","Start Free Scan",[17,367,369],{"id":368},"check-your-reset-flow","Check Your Reset Flow",[13,371,372],{},"Scan your password reset for security issues.",{"title":374,"searchDepth":375,"depth":375,"links":376},"",2,[377,378,379,380,381,382],{"id":19,"depth":375,"text":20},{"id":90,"depth":375,"text":91},{"id":164,"depth":375,"text":165},{"id":240,"depth":375,"text":241},{"id":321,"depth":375,"text":322},{"id":368,"depth":375,"text":369},"prompts","2026-02-27","2026-03-06","AI prompts to implement secure password reset. Create safe reset tokens, prevent account enumeration, and protect against reset flow attacks.",false,"md",null,"cyan",{},true,"AI prompts to implement secure password reset flows.","/blog/prompts/secure-password-reset","[object Object]","BlogPosting",{"title":5,"description":386},{"loc":394},"blog/prompts/secure-password-reset",[401],"Authentication","summary_large_image","jwBJqU0YY7V_rtJxE4lPi__Mpam6iYPhSy09UWqdbQc",1775843937968]