Reset Password - URL Security

Hi all,

I’ve noticed that the default reset password URL is as shown:


It passes the unique user ID so Bubble knows which user to update, however if you also have public user pages, this unique ID is shown in the URL.

Does this mean that anybody could just change a bunch of users passwords since they’ll have the reset password URL and can find each users unique ID?

Hey @trvshowell ,

This reset password ID you are showing is not a user ID but a token; this token stays active for 24 hours once the request has been sent.

Though, in theory, it is possible to guess somebody’s reset password token, you would have to be highly unlucky if a computer was to guess that string. Think of it as a password; if you check this string against a password security checker, they estimate this “password” or string, in this case, would take 50 nonillion years


1 Like

Ah ok! I thought it was a user ID that was passed which would have been bad and easy to troll.