How long should a password reset token be valid?
15 minutes is good. Do not use 24 hours. Short expiry limits the window an attacker has to use a stolen token. If the user needs more time, they can request another.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in How to Handle Password Resets in Node.js
Generate a random token, store its hash with a 15-min expiry on the user, email a link with the raw token, verify the hash on reset, hash the new password, invalidate the token, and notify the user. Rate limit the request endpoint.
If the database is leaked, attackers cannot use the hashes to reset passwords. The raw token is in the email link, not the database. Compare hashes on reset.
To prevent email enumeration. If an attacker can tell which emails are registered, they can target those accounts. Return the same response whether the email is registered or not: 'If the email exists, a reset link has been sent.'
Still have questions?
Browse all our FAQs or reach out to our support team
