Best Practices for Password Reminders and Account Recovery

How to Set Up an Effective Password Reminder System

Goals

• Reduce account lockouts while keeping security strong.
• Minimize help-desk load and user frustration.
• Avoid exposing passwords or creating easy attack vectors.

1. Use secure, standardized recovery flows

• Offer email and SMS recovery, plus authenticator apps as preferred second-factor options.
• Require a verified contact method before allowing reminders or resets.
• Use time-limited, single-use tokens (links or codes) for password resets.

2. Never send or store plaintext passwords

• Do not display or email existing passwords. Instead, issue a reset link or temporary code.
• Store only salted, memory-hard hashed passwords (e.g., Argon2 or bcrypt).

3. Design reminder UI/UX for clarity and security

• Keep the flow minimal: enter username/email → send token → verify → set new password.
• Show generic success/failure messages that avoid revealing whether an account exists (or, if UX requires, use progressive disclosure with rate limits).
• Include clear instructions and password strength guidance on the reset page.

4. Token and link security

• Tokens should be cryptographically random, single-use, and expire quickly (typical: 15–60 minutes).
• Limit the number of active tokens per account and revoke older tokens when a new one is issued.
• Use HTTPS everywhere and verify referrer/origin where possible before accepting reset submissions.

5. Rate limiting and abuse protection

• Rate-limit reminder requests per IP and per account to prevent enumeration and mass token sending.
• Add CAPTCHA for suspicious volumes or unknown devices.
• Log and alert on unusual patterns (many requests for same account, many failures).

6. Multi-factor and device-based reminders

• Encourage use of authenticator apps, hardware keys, or push-based MFA for account recovery.
• Allow trusted-device flows: mark devices as trusted after MFA and allow shorter flows for them, with clear session management and revocation.

7. Verification of identity for high-risk accounts

• For sensitive accounts, require additional verification (security questions only as a last resort — prefer alternative factors like a recovery code issued earlier).
• Offer account recovery codes that users store offline; allow them to use these to regain access.

8. Notifications and auditability

• Notify users when a password reset or reminder is requested and when a password is changed.
• Include timestamp and originating IP/device information in notifications.
• Keep audit logs of reset events for security review.

9. Help and fallback support

• Provide a clear support path for users who can’t access recovery methods (support ticket flow with identity verification).
• Define internal procedures for manual recovery that require strong identity proof.

10. User education

• Prompt users to enable MFA and to store recovery codes safely.
• Provide guidance on choosing strong, unique passwords or using a password manager.

Quick checklist (implementation)

1. Verify contact method.
2. Generate cryptographically secure token.
3. Send time-limited single-use link/code via verified channel.
4. Rate-limit and monitor requests.
5. Force password reset — do not reveal existing password.
6. Send notification after change.
7. Encourage MFA and provide recovery codes.

If you want, I can draft example email/SMS templates and a step-by-step backend pseudo-code implementation for your stack (e.g., Node.js, Python).