How do you handle password resets securely?
Generate a random token, store its hash with a 15-min expiry, email a link with the raw token, verify the hash on reset, hash the new password, invalidate the token. Rate limit the request endpoint. Do not reveal if the email is registered.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Password Security Interview Questions and Answers
Because if the database is leaked, plain-text passwords expose every user. People reuse passwords, so one leak breaks other accounts. Hashing turns passwords into irreversible strings, so a leak does not reveal the passwords.
SHA-256 is a fast hash, not a password hash. Fast means brute-forcing a list of hashes is fast. bcrypt is slow on purpose and has a salt built in, making brute-force expensive.
A random value added to the password before hashing. It ensures two users with the same password get different hashes. Prevents rainbow table attacks. bcrypt and argon2 handle salting automatically.
Still have questions?
Browse all our FAQs or reach out to our support team
