Change password vs reset password [closed]

Question

Closed. This question is opinion-based. It is not currently accepting answers.

---

Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.

Closed 8 years ago.

Improve this question

I have a page where a user can request a password reset link if they have forgotten the password to their account. I also want to create a way for a user to change their password if they are already logged into their account. Would it be better to create separate pages for each these different types of password resets or should I just change the form based on whether the user is logged in or not? Does it really matter? Is there a general standard?

Answer 1

Create separate pages. Reset links(when users are not logged in) usually use a unique GET value. When the user asks for a link to be sent to them, a value is inserted into the database. When a person visits the reset page, the server will check the GET value entered into the URL. If the GET value matches a unique value that is in the database, then the person is given the opportunity to put in a new password. The unique values in databases are usually set to expire pretty quickly. This prevents people from using brute force to reset someone else's password.

You don't want to mix the above with a simple password change that is initiated when a user is logged in.