As I am currently in the middle of a process to redesign a secure self-service password reset function, I started to write up a post on do's and don't of password reset. Then, after browsing around a bit, I found this great little gem at, in which Troy Hunt does an amazing job at documenting what choices you should make, and just as importantly, what the reason is behind each of these design choices.

One thing to add to that post is that, by allowing self-service password reset according to a well-defined and intuitive process, you really do your help desk a great service. However, at the same time, you create a possible weak spot in your security architecture.

Since the reset-function, by its nature, is an unauthenticated web-based process, it is certain that it will attract unwanted attention. Watch it like a hawk, and have an incident response process ready before you bring it live.