Forgot Password: what is the best method of implementing a forgot password function?

  1. I personally would send an email with a link to a short term page that lets them set a new password. Make the page name some kind of UID.
  2. If that does not appeal to you, then sending them a new password and forcing them to change it on first access would do as well.

Option 1 is far easier.


A few important security concerns:

  • A passphrase question / answer actually lowers security since it typically becomes the weakest link in the process. It's often easier to guess someone's answer than it is a password - particularly if questions aren't carefully chosen.
  • Assuming emails operate as the username in your system (which is generally recommended for a variety of reasons), the response to a password reset request shouldn't indicate whether a valid account was found. It should simply state that a password request email has been sent to the address provided. Why? A response indicating that an email does/doesn't exist allows a hacker to harvest a list of user accounts by submitting multiple password requests (typically via an HTTP proxy like burp suite) and noting whether the email is found. To protect from login harvesting you must assure no login/auth related functions provide any indication of when a valid user's email has been entered on a login/pass reset form.

For more background, checkout the Web Application Hackers Handbook. It's an excellent read on creating secure authentication models.

EDIT: Regarding the question in your edit - I'd suggest:

"A password request email has been sent to the address you provided. If an email doesn't arrive shortly, please check your spam folder. If no email arrives, then no account exists with the email you provided."

There's a trade-off being made here between ease of use and security. You have to balance this based on context - is security important enough to you and your users to justify this inconvenience?


Send email with new password.

FORCE a password change when they arrive and key in the new password.

This ensures that the person who wanted the password will be the only only getting in to the account.

If the email is sniffed, someone could get in to the account (of course), but the real party will discover this immediately (as their password you just sent them doesn't work).

Also send confirmations of password changes to the users.

If someone get the new password, and then an email saying "thanx for changing the password", they're going to be rather puzzled and will talk to an admin if they didn't do it.