Features of reset password functionality (one-click, one-use, 24 hours, ???)

1
votes

We're setting up a feature to enable users to reset their password when they can't get access ot their account. We ask for their email address (which they use for logging into the site), send them an email with a unique link.

The questions are:

  1. Should the link expire on first-click or should the link expire on first-use (ie, they reset their password successfully)?
  2. Should the link have 24 hour validity (or something similar)?
  3. Should the user be logged in after he clicks that link?
2
passwordsresetforgot-password

2 Answers

2
votes

  1. The link should expire after the password is changed. If you expired the link on the first click this can cause problems. Let's say I've got bad internet connection, and the page didn't load completely to my browser. I reload the page and it says link is expired. I wouldn't be happy user to see that.

  2. Yes, you should limit the link to some reasonable time. 24 hours looks reasonable enough. If you don't limit the link lifetime, first of all you will have to store the generated id forever, secondly the longer you keep this link active the higher probability that link will be stolen by attacker, which will lead to stealing account.

  3. You should let user in only after user changes his/her password. If you just log them in, they probably will decide that they don't have to change password anymore. This way they can keep logging into the system forever without ever changing/knowing their password.

1
votes
  1. The link should expire after they have reset their password successfully. If somehow the user ended up needing guidance on a password reset and wanted to return later, they should be able to.
  2. That being said the reset should expire eventually, 48 hours?
  3. Yes they should be logged in after a password reset, otherwise there is another frustrating step in the way of your user doing what they came to do on your site.