Website password recovery best practices

Some best practices to offer password recovery in websites:

1. Offer a password recovery option 🙂

With many sites being run on standard CMS, this is a given thing. But make sure the ‘Forgot password” option is clearly visible and near to the login form.

2. Do not send passwords in mail

Do not send the existing password in use by mail. Instead, give a new automatically generated password or offer the chance to set a new password by the user himself. If it is an automatically generated password, offer the user to change it when he signs in. WordPress does this so users won’t need to remember the automatic passwords.

3. Allow password recovery by sms

The users may have forgotten the password for his email account too. So, it is good to offer more recovery options like through sms.

4. Alert secondary emails

Allow users to register secondary emails and alert them if someone is trying to recover their password. Helps in case of hackers having access to primary mail.

5. Remind users about the password recovery options

Oftentimes, we don’t remember the password recovery info until we lose the password 🙂 So, it is better to remind us when we still have access and let us verify these info. Gmail does this.

6. Custom secret questions

Giving secret questions as a way to verify is good. But, give an option to write a custom question which the user will remember. Most of the websites give a very western / upper class centric secret questions which the other half of the world cannot relate.

7. Tell if the username doesn’t exist

Many sites just say password is incorrect even if the user doesn’t exist. With users registering at many sites, they are bound to forget the correct user name too. Tell them if the user name doesn’t exist so they can try their regular user name and password combos.

8. Allow Recovery by both user name and email


4 responses to “Website password recovery best practices”

  1. //Tell them if the user name doesn’t exist so they can try their regular user name and password combos.//
    Ravi! I think this will give way to spammers. For instance, Zoho, does not explicitly say “Username does not exist”, Instead informs Username and Password do not match

    What do you think?


    1. Venkat, I didn’t think of it as spam protection. Thanks for pointing out. Still, I wish they figure out a way to help users while protecting from spam.

  2. Matthew Frederick Avatar
    Matthew Frederick

    It’s not just spammers that can take advantage of providing information about the validity of a username, it’s hackers in general. If you provide one response when the username is right but the password is wrong and a different response when the username is wrong, you’re making it way, way easier to hack into your system.

    Think of it like this: if it’s ambiguous then the hacker (more likely the hacker’s program) has to correctly guess two pieces of matching information; this isn’t just twice as hard as guessing a password for a given username, it’s many thousands of times harder. If you provide different responses then the hacker can keep trying usernames until he finds a valid one and then just run through common passwords.

    I understand your point about making it easier for the user, but do know that it makes it dramatically easier for a hacker.

  3. ravi venkatraman Avatar
    ravi venkatraman

    With the recent trend to use authentication code instead of temp password what’s your thought? Though the flow is same we avoid touching user data which they own!