spec checked
OWASP Forgot Password Cheat Sheet
Documents forgot-password request handling, consistent response messages and timing, side-channel delivery, cryptographically strong single-use expiring tokens, rate limiting, no automatic login after reset, optional session invalidation, and post-reset notification.
Pattern Decisions This Source Supports
| Pattern | Supported decision | Required contract | Claim note |
|---|---|---|---|
| Password reset | Choose password reset when an unauthenticated or partially authenticated user needs to regain account access by proving control of a recovery channel and setting a replacement password. | Submitting an identifier always leads to the same visible confirmation, regardless of whether an account exists. | OWASP supports neutral reset responses, delivery by email or other side channel, single-use expiring tokens, rate limiting, no automatic login, optional session invalidation, and notifications. |
Evidence Role
This source is treated as spec evidence. Use it to validate the decision rules above, not as a visual style reference.
Publisher: OWASP Cheat Sheet Series. Last checked: .