Sign in

Password reset (self-service)

An unauthenticated user requests a password reset, receives a reset link via email, and sets a new password.

When this happens: You click Forgot Password? on the login page.

Step by step

  1. 1

    Click Forgot Password? on the login page.

    EasyCRM shows the Forgot Password form with an Email field.

  2. 2

    Enter their email address and clicks Send Reset Link.

    EasyCRM checks the email format. Regardless of whether the email matches an account, displays: If an account exists with this email, a password reset link has been sent (Prevents email enumeration.) If the email matches an active user: generates a cryptographically random reset token (≥256 bits), stores a SHA-256 hash with a 1-hour expiry. EasyCRM sends email with subject Reset your CRM password containing a reset link: https://<domain>/reset-password?token=<token>.

  3. 3

    Open the email and clicks the reset link.

    EasyCRM checks the token: exists, not expired, not used. EasyCRM shows the Reset Password form (New Password, Confirm New Password).

  4. 4

    Enter a new password and confirms it. Clicks Reset Password.

    EasyCRM checks: new password meets policy; new password ≠ last 5 passwords; both fields match. EasyCRM updates the password hash (bcrypt). Invalidates the reset token. Revokes all existing refresh tokens. EasyCRM sends confirmation email: Your password was changed on [date/time] EasyCRM takes you to login page with message: Password reset successfully. Please log in with your new password.

Other paths

Email not found

If no active user matches the email. System still displays the generic success message (step 5). No email is sent. No token is generated.

If something goes wrong

Token expired

If token is expired (> 1 hour). EasyCRM shows: This reset link has expired. Please request a new one with a link to the Forgot Password form.

Token already used

If token has already been consumed. EasyCRM shows: This reset link has already been used. If you need to reset your password again, please request a new link

Invalid token

If token hash does not match any stored token. EasyCRM shows: Invalid reset link. Please request a new one

Password policy violation

If new password fails policy validation. EasyCRM shows specific policy failures inline (e.g. Must be at least 12 characters, Must contain a special character). User corrects and resubmits.

Password history violation

If new password matches one of the last 5 passwords. EasyCRM shows: You cannot reuse your last 5 passwords. Please choose a different one

Rate limiting

If user has already requested 3 resets for this email in the last hour. System still displays the generic success message but does not send another email.

Deactivated account

If email matches a deactivated user. EasyCRM shows the generic success message but does not send an email.

Good to know

  • Reset token is single-use, valid for 1 hour.
  • Password must satisfy the active password policy.
  • Max 3 reset requests per email per hour — subsequent requests silently ignored.
  • Generic "success" message — never reveal whether email exists.