Some best practices to offer password recovery in websites:
1. Offer a password recovery option
With many sites being run on standard CMS, this is a given thing. But make sure the ‘Forgot password” option is clearly visible and near to the login form.
2. Do not send passwords in mail
Do not send the existing password in use by mail. Instead, give a new automatically generated password or offer the chance to set a new password by the user himself. If it is an automatically generated password, offer the user to change it when he signs in. WordPress does this so users won’t need to remember the automatic passwords.
3. Allow password recovery by sms
The users may have forgotten the password for his email account too. So, it is good to offer more recovery options like through sms.
4. Alert secondary emails
Allow users to register secondary emails and alert them if someone is trying to recover their password. Helps in case of hackers having access to primary mail.
5. Remind users about the password recovery options
Oftentimes, we don’t remember the password recovery info until we lose the password So, it is better to remind us when we still have access and let us verify these info. Gmail does this.
6. Custom secret questions
Giving secret questions as a way to verify is good. But, give an option to write a custom question which the user will remember. Most of the websites give a very western / upper class centric secret questions which the other half of the world cannot relate.
7. Tell if the username doesn’t exist
Many sites just say password is incorrect even if the user doesn’t exist. With users registering at many sites, they are bound to forget the correct user name too. Tell them if the user name doesn’t exist so they can try their regular user name and password combos.
8. Allow Recovery by both user name and email