Skip to content

Verify secure, time-limited password reset link is sent to user’s email

Ensure that the password reset process is secure, user-friendly, and robust against common security threats. The process must not reveal whether an email is registered, must send a unique and time-limited reset link, and must allow only the new password after reset.

  • Test case designer: name
  • Date of creation : 02.07.2025

Test case description

Users can set a new password using the reset link without issues. Ensure that the password reset link is both secure and only valid for a limited time.

Pre-state:

The user has an existing account with a registered email address.

The user is on the login page and has forgotten their password.

Test Steps

  1. Request password reset with a registered email
  • Go to the password reset page.
  • Enter a registered email address and submit the request.
  1. Request password reset with an unregistered email
  • Go to the password reset page.
  • Enter an unregistered email address and submit the request.
  1. Verify that the system does not reveal whether the email is registered
  • Observe the system’s response for both cases.
  • Confirm that the response is generic and does not indicate whether the email is registered or not (no user enumeration).
  1. Check that a reset link is sent to the registered email
  • Access the inbox of the registered email.
  • Confirm that a password reset email is received.
  • Confirm that no email is sent to the unregistered address.
  1. Verify that the reset link is unique, secure, and time-limited
  • Inspect the reset link in the email.
  • Confirm that the link contains a unique, random token.
  • Confirm that the link is sent over HTTPS and does not expose sensitive data.
  • Note the validity period of the link (e.g., 1 hour).
  1. Use the reset link to set a new password
  • Open the reset link within its validity period.
  • Enter and confirm a new valid password.
  • Submit the new password.
  • Confirm that the system accepts the new password and confirms the reset.
  1. Attempt to reuse the reset link (should fail)
  • Try to open and use the same reset link again after a successful reset.
  • Confirm that the system displays an error message and does not allow another reset.
  1. Attempt to use the link after expiry (should fail)
  • Wait until the link’s validity period expires (or simulate expiry if possible).
  • Try to use the link after expiry.
  • Confirm that the system displays an error message and does not allow a reset.
  1. Log in with the new password (should succeed)
  • Go to the login page.
  • Log in with the registered email and the new password.
  • Confirm that login is successful.
  1. Log in with the old password (should fail)
  • Go to the login page.
  • Attempt to log in with the registered email and the old password.
  • Confirm that login fails.

Expected result

  • Password reset is possible only for registered users.
  • The system does not reveal whether an email is registered (no user enumeration).
  • A reset link is sent only to the registered email.
  • The reset link is unique, secure, and time-limited.
  • The reset link cannot be reused or used after expiry.
  • Only the new password works after reset; the old password no longer works.
  • The user can successfully log in with the new password.
Edited by AH0984