The Blog

Lost password reset software design pattern

07 Apr 12

When you build a new Service-Website from scratch you’ll probably have to face with this. Passwords are the most sensitive data we have and your application should behave securely enough to maintain user’s data private!

Some time ago you it was a common pattern to store the user password as plain text ( or with some Symmetric-key algorithm ). This let the user to retrieve their password withouth setting a new one.

From this pattern a fork was born which required to answer a predefined question in order to make the application send the password back to the user.

It seems these patterns are not used anymore in favor of the actual one which involves a more structured application/user flow in order to let the user regain access to the application. I’m talking about password reset.

The new way

Basically the password is stored in the database with a non symmetric-key algorithm ( Ex: md5 hash ) and whenever the user needs to regain access to the application the password needs to be resetted ( and the old one will be lost forever ).

Everything starts when the user can’t find his password to access your application. Then the user needs to remind the email or the username he used to login into your application, once this is done he needs to fill in the “Password reset form” which will ask only for the username.

The application, at this point, will generate a new token and save it inside the database for later usage. The user then receives the  notification from the server ( usually via e-mail ) that contains a string like the following:

Hey, we heard you lost your password.

Use the following link within the next 24 hours to reset your password:<username>/<token>


When the user clicks over the link the application needs to validate a couple of things:

  • Is the username/token pair a valid one?
  • Is the token still valid ( not expired ? )
  • Was the token already used ?
If every above-mentioned check goes the way it should, then the user can log-in your application again. How? There are two options here:
  • Make the user choose the new password after your application validates the link
  • Send the user a new automatically generated password via email.
The first option seems to be more secure than the second one ( think about if your email account get hacked and the attacker starts searching for “password” inside the user’s archived emails ).
In order to explain the procedure i designed a quick flow chart.

I also designed a database-table schema for storing/retrieving the token informations.

I hope this helps 🙂