Facebook Pixel

How do I handle password resets in Node.js?

Generate a random token, store its hash with a 15-min expiry on the user, email a link with the raw token, verify the hash on reset, hash the new password, invalidate the token, and notify the user. Rate limit the request endpoint.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in How to Handle Password Resets in Node.js

If the database is leaked, attackers cannot use the hashes to reset passwords. The raw token is in the email link, not the database. Compare hashes on reset.

15 minutes is good. Do not use 24 hours. Short expiry limits the window an attacker has to use a stolen token. If the user needs more time, they can request another.

To prevent email enumeration. If an attacker can tell which emails are registered, they can target those accounts. Return the same response whether the email is registered or not: 'If the email exists, a reset link has been sent.'

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.