Emails concerning password resets are the most common types of emails all over the world. You can never build a software application and fail to have a ‘reset password’ notification. To a great extent, this contributes to the reason why it is tricky to design and create content for password reset email. While they may be common and taken for granted, there are slight details you need to consider to determine whether your password reset emails are great or not.
Note these Technical considerations
This blog primarily focuses on your password reset email’s content and design. There are many technical decisions are important about the way you handle passwords. For instance, the process involved, and the interface involved makes it possible for one to change their password. Nevertheless, they are outside our focus for today. Check out Troy Hunt’s article called “Everything you ever wanted to know about building a secure password reset feature.” It will give you a better guide concerning the technical implementation of the functionality of the password reset email.
“SMART” Emails for Password Reset
Avoiding the usage of leaking username while resetting password is one of the technical consideration that is important. It relates to emails, and therefore we cannot overlook its relevance to our discussion.
It is a wise idea to neither confirm nor deny that an account with an email and a username exists. This would happen whenever a user tries to log in or reset their password, and a site will display a confirmation as to whether the username and email address exist. At one time, you may have noted an error message that says, “We couldn’t find a user with that email address.” It means that if this message is not displayed, then the username with that address exists.
A problem in usability arises when you fail to make it known to the user that you have managed to find their email address. If they created their account with a different email address, do not always tell them that you have sent them an email. Only send them emails using an email address that they have given to you. However, the content of the email will automatically change depending on whether or not the user with the email address exists. The confirmation message that you send should communicate that “An email has been sent to (put the email provided by the user) containing further instructions.”
When you use this approach, you will need two types of emails. The first email should contain the URL and other normal instructions. The other one should offer information concerning the unavailability of the user’s account as well as an alternative approach or a way to contact the support.
Whenever the user’s account is available, send a normal email for password reset. If not, email the user and tell them that the account was not found then suggest to them to try a different address. The limitation of this method is that it does not offer the feedback immediately as opposed to displaying on the web page a “user not found” message. Even so, it makes any other person incapable of creating a list of user accounts that access the services.
When you do this, it will be impossible for the application to leak the existing usernames and addresses. The email address owner will be the only one who will receive the details of the password. For anyone else who tries to find the existing users, will get the very same message. Thus, they will never know about the existence or lack of an account.
Password Reset Email Goals
In Password reset emails, you have to accomplish the least number of goals. Typically, the only goal is to help users regain access to their accounts securely. More often than not, it is by using a link for password reset. In some cases, it gets more complex. The concerns involved include the expiration of the link, a problem when keying in the new password, will it work on their mobile devices and the chances that they did not request to have the password reset.
The primary goal is simple, but edge cases surrounding the choice to help the person are not always easy. Because the edge cases are often loosely related, the grouping of the email’s purpose is based on two major goals. Their basis will be the context of the request.
1. Help them regain access to their accounts if they are the ones that initiated the request
Here, what matters is helping them get to the page that will help them to reset their password. Ensure that you make everything easy for them to access options as well as contact support by replying to emails. Also, offer them a link to a form that will kick-start the process. If they face any problems, they should get help.
Include the original URL to reset password in the email whenever the user can reply to the email directly. However, the customer support may misuse that. If the customer support is trustworthy, then there is nothing to worry about. This is one of the cases where you can consider having a no-reply address, and it will not be an issue because it offers security for the application.
2. If they are not the ones that initiated the request or if they don’t remember doing so, explain what this could mean and if they should be worried.
Whenever you send a password reset email, a user will always receive a notification although they have not requested for the email. While this can be a typo, it is also possible that someone may be trying to gain access to the account. If a password reset process is wonderfully engineered, the notifications will be of no harm.
The one who receives the notification might be a bit concerned because they are unaware of the engineering system. In case the link is structured to expire automatically or is not secured, take all the vital steps to prevent problems. To offer high security, you can include ways that will help the recipient to automatically invalidate the URL or expire it immediately if they did not make the request. You can also include a secondary action like “I did not request to reset my password.” This will go a long way.
There are also users who are not technically exposed and such emails may worry them. Therefore, let them know that they do not have to worry if they are not the ones that made the request. Assure them that it is safe to ignore the notification. Also, provide a way for them to contact support if they feel that it threatens the account’s security.
Password Reset Email’s Key Considerations And Common Mistakes
1. Using emails to send passwords
This detail falls under the implementation process of password management. Whenever you include a password in a password email, it shows that there is a huge problem with how your system is managing the passwords. To solve this, you need to engineer some changes. Rather than sending passwords, you should send a URL that is secure for the user.
2. Making the emails look like phishing emails accidentally
As it stands, password reset emails are one of the typical phishing emails we have. These emails can do great work in imitating a sender’s brand. Even so, there are times when they are poorly formatted and appear sloppy. When you send a password reset email try not to use sloppy texts and an awkwardly looking URL with a randomly generated token. If they are the ones who have requested the password reset email, they may not be worried. Therefore you can include vital information that will help the email stand out and not look like a phishing email.
If you discover that because of the nature of the business that you do, there is a growing problem with phishing emails, develop DMARC policy and have it implemented. This way, the customers will have a reason to trust that every email they get is from you.
3. Slow sending speed or a poor deliverability
Slow speeds for sending password reset emails can greatly affect the email and create problems. Typically, a good email speed means that an email gets to an inbox in less than 20 seconds. If not, it is slow. If the delivery takes more than 60 seconds, know that there is something wrong. This will destroy your reputation and cause your team to face extra work. With fast delivery times, you will be very close to achieving great deliverability.
From a surface level, the provider seems like he is offering commodity service, but when you dig deeper to investigate their performance, reliability, and their deliverability, you will notice that this is not the case. Typically, people expect their password request emails to arrive as soon as they have requested for it. When it does not happen, they will move on, and some others may not come back to check whether the email came or not. Others will immediately contact the support team. Whatever the outcome is, the business will be affected. In some situations, slow sending may be an issue that you can work around. However, there are times when support requests for password reset will pile up, and you will know there is a real problem.
Information to Include in these Emails
In theory, password reset emails are simple. However, there are some details that you need to capture correctly. The implementation will vary depending on the addressed audience and the product offered, but some common factors are as follows.
1. A subject that is readable and relevant as well as a “from” name
A person will always go straight to their inbox right after they have submitted their password reset request. Typically, the information about the subject and sender is not as vital as other information. Even so, they are important because the recipient sees it immediately when they visit their inbox. Have a clear “subject” and “from” name that will help them identify the email and take required actions.
2. The password reset link
More often than not, this link for resetting password is the most crucial information in the whole message. Its visibility should be outstanding, and it should have an ease of use. Since the token faces expiration, the URL will become clunky. Therefore, ensure that the link is given as an HREF attribute of a link and not when it is embedded directly in the email.
3. Information about the expiration
Links should always have an expiration date. Therefore, you should inform the recipient about this as well. Also, include another link that helps them when they want to request another link if the current one expires.
Typically, an excellently engineered password request process will cause automatic expiration of the password reset URL or invalidate it after some time. Sometimes there are expiration windows that are aggressive causing the URL to expire long before the user can see it or reset their password. Therefore, always let the recipient know that the link will expire at a certain date or time.
4. The way of contacting support
If a user requests a password reset, it is because they need to regain access to their accounts. An individual may have forgotten their password or username. Whatever may be the reason, you should help to regain the access. Sometimes, the password reset process may not go smoothly. But when it is smooth, automated processes will be all that is required. If the process does not go as it should a different option is needed. On the lower side, they may need a direct access channel to the support team to get help. If everything is good, they will have multiple options to choose from and eventually pick the one that best fits their needs.
5. Reset Requested? By an IP Address or User Agent?
Although this may require extra engineering, it is great information to include because it lets the user know who or what initiated the password reset request. Doing this is very simple. You can send them information about the operating system or browser where the request originated or an IP address. You can also go a step further to use the IP address and a lookup service to get an approximate location from where the request came. It may not help everyone in the world. But for the right audience and right product, it will help build the trust.
6. The email that says “address not found”
Whenever you take matters into your own hands, notify the user that the account was not found and create a dedicated email and use it. Here, the attempt may be malicious or may not. Ensure that you let the user know that the request was made and whether they should be concerned. If they are the ones that made the request, advise them to try another email address.
Below is a summary list that will help you to remember every individual point once you embark on designing and building an email template.
- Include a subject that is relevant and readable as well as a “from” name
- Add the link to be used for password resetting
- Include the information about the expiration time for the link. Is it 5 minutes or 24 hours?
- Add the contact information for support
- Include the information about who sent the request whether IP address or user agent
Even if you opt for a different email service provider, we still want to help you end up with the best transactional emails. We welcome all the thoughts you have about how we can improve.