Why not reveal whether an email is registered on password reset?
To prevent email enumeration. If an attacker can tell which emails are registered, they can target those accounts. Return the same response whether the email is registered or not: 'If the email exists, a reset link has been sent.'
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in How to Handle Password Resets in Node.js
Generate a random token, store its hash with a 15-min expiry on the user, email a link with the raw token, verify the hash on reset, hash the new password, invalidate the token, and notify the user. Rate limit the request endpoint.
If the database is leaked, attackers cannot use the hashes to reset passwords. The raw token is in the email link, not the database. Compare hashes on reset.
15 minutes is good. Do not use 24 hours. Short expiry limits the window an attacker has to use a stolen token. If the user needs more time, they can request another.
Still have questions?
Browse all our FAQs or reach out to our support team
