: When a user changes their password, should I let the old password be valid for a few days? I'm building a new web site. I'm now writing the code where a user can request an email to reset

@BetL925

The email to reset the password shouldn't change the password until the recipient clicks on the link in the email. If the password is changed when the email is sent out, then you have effectively locked out the real user in the case that somebody else had requested that their password be reset.

Once the user clicks on the link in the email to reset the password, the new password should take effect immediately.

If you have a form for logged in users to change their password, that should take effect immediately. Users will probably use that in the case they wish to change their password for security reasons.

Vote Up Vote Down

@Kimberly868

You should change the password immediately. There are several reasons for this:


If the account has been compromised allowing the old password will mean that the account is still compromised and the attacker will be able to change it again.
Every other system changes the password immediately, so this is what the user will be expecting.
If you allow the old password the user might not think that the password has in fact been changed so may well initiate the "change password" procedure again.


All changes for a password should be confirmed via an e-mail sent to the registered address and as long as you don't allow a change of password and a change of contact e-mail address at the same time then the it should be difficult for an attacker to gain control over the account.

You would only allow the change when the user visits the page you link to in the e-mail or allow the change to be rejected via a link.

Vote Up Vote Down