Facebook Pixel

What should I do after a successful password reset?

Invalidate the token (one-time use), hash the new password, notify the user by email that the password was changed, and invalidate all existing JWTs (e.g., bump a tokenVersion field) so attackers with old tokens are logged out.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in How to Handle Password Resets in Node.js

Generate a random token, store its hash with a 15-min expiry on the user, email a link with the raw token, verify the hash on reset, hash the new password, invalidate the token, and notify the user. Rate limit the request endpoint.

If the database is leaked, attackers cannot use the hashes to reset passwords. The raw token is in the email link, not the database. Compare hashes on reset.

15 minutes is good. Do not use 24 hours. Short expiry limits the window an attacker has to use a stolen token. If the user needs more time, they can request another.

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.