Secure ways to reset password or to give old password

Question

What is the most secure way to handle forgotten passwords/password resets? Should I email the password to the user? If so do you then force them to reset it? Or do you let t

Answer 1

You shouldn't send passwords via email. Here is a step by step process I've used:

1. Give users a reset password option.
2. This option saves a unique token for a user. The token eventually expires (hours, day or days).
3. A link is emailed to the user which includes the token.
4. User clicks on the emailed link.
5. If the token exists and isn't expired, the link loads a new password form. If not, don't load the new password form.
6. Once the user sets a new password, delete the token and send the user a confirmation email.

Until the new password is set, the old password should remain active. Don't forget to hash and salt the passwords!