Home › App Patterns › Forgot password
Forgot password
A flow for resetting a password the user cannot remember.
A forgot-password flow starts with a small "Forgot password?" link on the login screen. The user enters their email, gets a reset link, opens it, and chooses a new password. Three or four screens total.
Always confirm "we sent an email" even if the address is not in your system — this prevents attackers from probing for valid accounts. Make the reset link expire (15-60 minutes is common) and invalidate it after one use.