How long should a password reset hash be valid for?

Question

Here's the scenario:

A hacker hijacks the account of a user on my site. The hacker changes the password. My site sends out an email to the user's contact email address with a link containing a url with a hash value to reset the password. The hacker then changes the user's contact email address the following day. My site then sends out an email to the old and new email addresses.

Most answers here have said that the recovery hash should be valid for an hour. But what if the user is away from home and doesn't get the emails until a week later after the hash has expired? The user's password has been changed and can't get a new recovery email either. The user has now lost the account and has no way to recover it. Shouldn't the hash remain valid for a week or two, or until it is used?

And what happens if the hacker, knowing how this mechanism works on most sites, claims to forget the password and requests a new one. Should the site generate a new hash, replacing the old one, thereby rendering the real user's reset hash invalid? Or should the site not change the hash, and send out the same hash again? But now, both the real user and the hacker have a hash to reset the password?

I'm sooooo confused... Maybe there's no perfect solution to this problem...

Any other technique? I, personally, don't like "secret questions" because, more often than not, they provide a back door to hack into someone's account. When sites require them from me, I type gibberish as the answer.

BTW, I know there are similar questions like this, and I would have preferred to ask for clarification in a comment to an existing question rather than open a new question, but I don't have high enough reputation to add a comment to someone else's question.

Answer 1

I would set the hash until activated and a caphata is done because the hacker could use a bot to get on the website.

Edit: The Hacker will not know secret password for reset verification.