What is the recommended expiration for a password reset link?

It depends on how you’re communicating with the client. NIST recommends the following during the enrollment process when it’s considered a part of the authentication process; which I would consider equivalent to the password reset process. Also note these are maximum values, you may certainly use shorter intervals than these.

4.4.1.6 Address Confirmation

[ ... ]

e. Enrollment codes SHALL have the following maximum validities:

i. 10 days, when sent to a postal address of record within the contiguous United States;

ii. 30 days, when sent to a postal address of record outside the contiguous United States;

iii. 10 minutes, when sent to a telephone of record (SMS or voice);

iv. 24 hours, when sent to an email address of record.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63a.pdf

What is the recommended expiration for a password reset link?

Tags:

Passwords

Nist

Related

Recent Posts