Password recovery flow - Send Password recovery to any email?

manpreet Best Answer 2 years ago

_x000D_ While in discussions with someone under the question, I figured I would go ahead and post how we handle password resets using a similar flow, and point out where we try and prevent malicious intent. Here is our flow: On the login form, there is a link for "forgot password" The forgot password screen in a simple textbox, where you can enter your email address. In our implementation, the email address is the username, but it shouldn't matter as long as each user has a valid email address attached to their account. User enters an email address and presses "Submit". IF the email address is associated with a valid account, we generate a GUID, store it in the password reset request table with an association to the requesting user account and set an expiration time of 30 minutes. IF the email address does not exist, we do nothing. No email is sent to anyone. Regardless if the email address is correct or not, we always show a "Thanks, if the email address you entered is correct, you will be receiving an email shortly with instructions on how to reset your password". This is important as you don't want a bad user using this form to try and discover user names. The user receives the email and clicks the link. This takes them to a reset password screen (with a new password/confirm new password textboxes) if the GUID/link is still valid. If it is not, we show a "this reset key is no longer valid" if the key is expired or does not exist. After reset, user is redirected to login screen to login to the application. Hope this helps. As others have said, use a good method to generate the reset password link, do not use any user identifying information in the link (someone could guess it, figure out your algorithm, etc).