Authentication - Do you have a 'Forgot your password' link?

Users often forget their passwords — the key to accessing their accounts. To handle this, include a "Forgot your password?" link on the sign-in page.

❌ Figure: Bad example - What will happen for the poor user that forgot their password?

✅ Figure: Good example - Users have an option if they forget their password

✅ Figure: Good example - Users enter their email to get a new password

Avoid extra wording

For best UX, “Forgot your password?” should usually be a single clickable link — the question itself is enough to imply “Click here to reset.”

❌ Figure: Bad example - Unnecessary text for a common action

✅ Figure: Good example - Short, clean, standard on most sites

Avoid username enumeration attacks

This practice also opens up the risk of "username enumeration" where an entire collection of usernames or email addresses can be validated for existence on the website simply by batching requests and looking at the responses.

Read more on Troy Hunt's blog post "Everything you ever wanted to know about building a secure password reset feature".

You should always aim to not disclose if a user is registered with your site or not.

❌ Figure: Bad example - Displaying information whether a user exists or not

✅ Figure: Good example - Do not disclose whether a user is registered with your site