Password Reset

Overview

This page contains recommendations for the implementation of password reset functionality.

Implement a password reset in one of the following ways:
During password reset do not indicate if a user with entered data exists or not. Ask for a username/email address/phone number/etc. and inform the a that if there is a user with the data entered, reset recommendations will be sent to them via the appropriate communication channel.
Only block an old password after a user has successfully passed the password reset step.
Do not automatically sign a user in. Once a user sets their new password, log out a user and send them to a usual login mechanism (with multi-factor authentication, if enabled).
Terminate all active sessions after the password reset. You can explicitly ask a user if they want to invalidate all of their existing sessions.
During password reset, request at least the following data:
- New password.
- Confirmation of the new password.
Link a random token (or one-time password) to an individual user in a database.
Do not reveal a current password in any way during the password reset.
Do not reveal a random token (or one-time password) in any way during the password reset.

Send a password reset URL to a user and pass a random token in the query string of the URL. For example:
```
https://website.local/account/password/reset?token=GiOzXAwlZ17NsW4CkVV8MQXtiQN9cWiY
```
Use random tokens of length 32+ bytes.
Set a short expiration time for a random token (~ 24 hours).
Use a random token once. Delete a random token or transfer it to a final status that prohibits reusing.

Use a time-based one-time password generated on the user side for confirmation of the password reset.

Last updated 1 year ago