Skip to content

Latest commit

 

History

History
20 lines (18 loc) · 1.5 KB

forgot_password.md

File metadata and controls

20 lines (18 loc) · 1.5 KB
Raw

Forgot Password

While adding a "Forgot Password?" feature in your app or website, please check the following cases:

  1. Text should be “Forgot password?” and not “Forget password”
  2. Password validation rules applied on signup should also apply during password reset
  3. Forgot password link should expire after 24 hours.
  4. It should not be possible for me to reset another user’s password by passing any kind of wrong values in the URL.
  5. Users must be asked to login again after password reset.
  6. [Optional] All previously logged in sessions of the user must expire at the time of password reset.
  7. Setting up the Similar password should not be allowed in the financial/banking systems.
  8. Requesting a forgotten password link multiple times should block the user's attempts for the next 30 minutes.
  9. Updating the password from multiple systems at the same time by using the same link should be handled.
  10. After updating the password, the link should not work to reset the password.
  11. Forget password link should be sent for verified email/phone number only.
  12. Password reset links should not be flagged as spam.
  13. On page and server side validation should be implemented for forgetting and reset password pages.
  14. After restoring the password site should be navigated to the login page.
  15. After resetting the password via the forgotten password link, the user should not be able to sign-in to the system with the old password.
  16. Password reset/forgot history logs should be maintained in database/admin.