Flows

Password Reset

The account recovery flow — a trust-critical moment that must be secure, fast, and clear.

#password reset#forgot password#account recovery#email#reset link#security

What is it?

Password reset is the flow that allows users who have forgotten their password to regain access to their account. It is a trust-critical flow — users are anxious (they can't access their account) and rely on the product to help them quickly and securely. Poor design here loses users permanently.

Why it matters

Users who can't access their account are moments away from churning. A fast, simple password reset retains them. A confusing or slow reset drives them to abandon the product. Additionally, password reset security flaws (predictable tokens, no expiry, no confirmation) are a common attack vector.

Best Practices

Request only email address on the forgot password page — nothing else.
Send reset link immediately. Response message: "If an account exists with that email, a reset link was sent."
Reset links must expire after 24 hours maximum. One-time use only.
Reset link should land on a form with two fields: new password + confirm.
Show password requirements on the reset form.
After successful reset: log the user in automatically and redirect to their intended destination.
Send a security notification email: "Your password was changed on [date] from [location]. If this wasn't you, contact us."
Limit reset requests to 3–5 per hour per email to prevent abuse.
Don't expire sessions on password reset for already-logged-in devices (unless a breach is suspected).
For passwordless products: "magic link" sent to email IS the equivalent of password reset.

Common Mistakes

Reset confirmation message that reveals account existence: "No account found with that email."
Reset links that don't expire.
Multiple-use reset tokens.
Requiring the user to log in again after resetting — they just proved identity via email.
No security notification after password change.
Reset form that clears on error, forcing the user to re-enter both password fields.

Checklist

Only email requested on forgot password page

Confirmation message does not reveal account existence

Reset email arrives within 60 seconds

Reset link expires within 24 hours

Reset token is single-use only

Password requirements shown on reset form

User is automatically logged in after successful reset

Security notification email sent after password change

Rate limiting on reset requests (per email, per IP)

Research & Theory

OWASP Authentication Guidelines

OWASP provides security guidelines for authentication flows, including password reset. Key recommendations: time-limited tokens, single-use, HTTPS only, rate limiting.

Why it's relevant

Password reset is both a UX problem and a security problem. Both must be solved simultaneously.

Real-World Examples

GitHub

Email only requested. Immediate confirmation. 24-hour expiry. Auto-login after reset. Security email notification. Password requirements displayed on reset form.

Notion

Magic link flow: "We'll email you a link to sign in." No passwords to reset. The passwordless approach eliminates the reset flow entirely.

Linear

Similar to Notion — magic link authentication removes the need for password reset entirely.