Forgot Password: what is the best method of implementing a forgot password function?
I'm wondering what the best method is for creating a forgot password function on a website. I have seen quite a few out there, here are a few or combination of:
- passphrase question / answer (1 or more)
- send email with new password
- on screen give new password
- confirmation through email: must click link to get new password
- page requiring user to enter a new password
What combination or additional steps would you add to a forgot password function? I'm wondering about how they request the new password and how they end up getting it.
I'm operating on the principal that the password cannot be retrieved; a new password must be given/generated.
Edit I like what Cory said about not displaying if the username exists, but I'm wondering what to display instead. I'm thinking half the problem is that the user forgot which email address they used, which displaying some sort of "does not exist" message is useful. Any solutions?
Answer
- I personally would send an email with a link to a short term page that lets them set a new password. Make the page name some kind of UID.
- If that does not appeal to you, then sending them a new password and forcing them to change it on first access would do as well.
Option 1 is far easier.