← Back to Users and Identity

Users and Identity

Password Reset Flows Must Use Time-Limited Single-Use Tokens

8 min read

Reset tokens must be cryptographically random, single-use, short-lived, and invalidated immediately after use or after a failed attempt.

Rule

Password reset tokens must be single-use, time-limited, and hashed at rest.

Why

Reusable or permanent reset tokens are password bypass vulnerabilities.

Must

  • Generate tokens using a cryptographically secure random source.
  • Store only the hash of the token, never the token itself.
  • Set a short expiry (15-60 minutes maximum).
  • Invalidate the token after first successful use.
  • Invalidate all active sessions on successful password change.
  • Rate-limit reset requests per email and IP.

Should

  • Send a security notification to the user when a reset is requested.
  • Inform the user without revealing whether the email exists (account enumeration prevention).

Anti-patterns

  • Token stored in plaintext in the database.
  • No expiry on the reset link.
  • Reusing the same token for multiple resets.

Test Cases

  • Token is invalid after first use.
  • Expired token returns an explicit error.

Telemetry

  • password_reset_requested
  • password_reset_completed
  • password_reset_token_expired