Password Reset Procedures

This question asks whether you have written, official procedures for how passwords get reset - both when users do it themselves through 'forgot password' links and when they call support for help. It's asking for proof that you don't just make it up as you go, but have secure, consistent steps that protect accounts from being hijacked through fake reset requests.

Poor password reset procedures are a leading cause of account takeovers. Without documented procedures, support staff might reset passwords based on easily-faked information, giving attackers access to customer data. Well-documented procedures reduce support costs by enabling self-service, decrease security incidents, and demonstrate SOC 2 compliance readiness. They also ensure consistency across your support team, preventing social engineering attacks that exploit procedural gaps.

Many companies have informal reset procedures but no written documentation, making audits impossible and training inconsistent. Another mistake is documenting procedures that aren't actually followed, creating liability during security incidents. Teams often forget to include verification steps in their procedures, making it too easy for attackers to reset passwords for accounts they don't own.