Latest Education News, Free School Notes, and Revision Materials

How to build a secure password reset feature?

How to build a secure password reset feature is important for everyone developing websites that require passwords to login.

While the subject may be very sensitive for some developers who develop a website from the ground up should implement one.

People forget passwords and chances are you’ve experienced at least one of those many times as an end-user.

How Passwords are stored?

You must understand how the password is stored if you are to understand what to do with forgotten passwords.

Passwords can be stored in three different forms, namely;

  1. Plain text. Something like Admins@12345
  2. Encrypted something like 2d2NUo18CgvPEHllxgRnSr
  3. Hashed something like QWRtaW5zQDEyMzQ1

By default, most people tend to adopt using the encrypted choice, while advanced developers adopting hashing of passwords as their preferred choice of storing passwords. We don’t recommend that you adopt the plain text approach ever, as users tend to use the same password for every website.

Things you shouldn’t do when building a secure password reset feature;

  1. Sending a reset password
  2. Sending a reset URL with a password in it

Things you should do when building a secure password reset feature;

  1. Implement CAPTCHA on the reset
  2. Add secret question and answers; your questions should;-
    1. Your questions should be concise 
    2. The answers to the question should be specific, hard to guess and constant
  3. Implement Two-factor authentication
  4. Implement a notification system about any important account changes.
  5. Keep a log of all the changes on the account. Log, log and then log some more

Once you have thought of all the above, it time to get down to implement them.

Step 1: Check the details 

Check whether the supplied account details exist in your system. Usually, it can be an email, phone number or username.

 Step 2: start the reset process

If the supplied details exist in the system, send a message with a clickable reset token; ensure this is not leaked via the URL by using post.

The clickable reset token should be time stamped, i.e. it should expire after a specific period.

If the user clicks the reset token they should answer the security questions and complete the 2FA process.

Once successfully done, they should be able to change their password; you also delete the reset token and send the user a confirmation message about the change of password

If the supplied details don’t exist in the system, send a message to the email, this should initiate the account creation process.

Step 3: Grant access

Once the message has been delivered grant the user access to their account, and keep the logging details about account changes.

 Keep in mind also that you want to be logging the activity at as many of these points as possible. 


While this is a summarised way of the most secure way of building a secure password reset feature into your website, you should keep looking into ways of verifying users without having to use their passwords.

Despite having the best security features implemented, user education is important and the fact that resets aren’t difficult and at times implemented poorly.

Don’t be the example for others to use take care of your resets and build a threat model that touches various points always assume the worst and build on that as there will always be that one person who will try to break in.

Comments are closed.