October 16, 2017

What Goes Into a Great Password Reset Email

Trevor on October 16, 2017 in Email QA Best Practices

Password reset emails are not pleasant. On the designer’s side, they seem to be almost pointless to spend time on and typically end up as plain-text emails. On the developer’s side, they don’t present any interesting challenges. On the QA tester’s side, they’re a pain to trigger and test out if you don’t have the right tools. But of course, none of that compares to the pain that a user faces when they have to go out of their way to reset their password, only to be faced with a poorly implemented password reset email.

To help you avoid being the target of your user’s ire, we’ve got some tips for how to best create a password reset email, each of them based on the real-world experiences of major technology companies.

The Right Way to Reset a Password

There are three steps to trigger a password reset, each of them crucial to get right. First, you need to put the password reset button front and center on the sign in form. People need to know exactly where to go to reset their email.

Second, you need to make it so that people can’t guess which emails to reset. You don’t want a feature you’ve built for security to be used to release private information about your users. Instead of showing an error, your confirmation screen should say something like, “If an account is registered with that email, you’ll receive a reset link in your inbox in a few moments.”

Finally, the email needs to arrive at the right place immediately. These are the top-priority emails to send, since without them your users are just going to be sitting around, refreshing their inbox, waiting to gain access to the service that they’re entitled to use. Even a few minutes can seem like an eternity when all you see is an empty inbox.

The Top Four Great Password Reset Emails

Abstractly knowing how to create a password reset email is one thing, but it’s another thing entirely to do it correctly right off the bat. That’s why we want to give you a leg up and provide some inspiration for your own password reset emails. The four that we’ve included below all focus on different pieces of the password reset puzzle. Some are focused on the security of the passwords and accounts, while others are focused on the brand, and still another is all about making people feel better when going through the unexpected and unpleasant distraction of having to reset an email.

Example #1: The Branding of Jet

Our first example comes to us from the ecommerce company Jet, with the screenshot courtesy of Really Good Emails. We’ve chosen to feature this email for a few different reasons, but first among them is the branding.

Every time your company interacts with a customer, a potential customer, a former customer, or a stranger on the street, you need to be aware of how you’re perceived. In marketing-speak, that means being aware of how consumers engage with your brand.

Jet clearly understands this, as they aren’t missing even the most trivial opportunity to reinforce their brand. As you can tell, Jet has fully bought into its brand’s color palette, its system of illustrations, and its conversational style of communicating with customers. These may all seem small, but when this level of attention to detail is carried through every part of your company, even so far as to reach your password reset emails, then you’re going to witness a greater response to your brand’s more mission-critical communications. It’s not an overnight generator of success, but it does push your company a bit further along.

Example #2: The Simplicity of Slack

Much like with Jet, Slack knows what it is. For those that are unfamiliar, Slack bills itself as the place, “where work happens.” In other words, it’s the place where teams stay in touch with each other, where conversations take place, and for many companies, it’s where their entire business happens.

Which is why Slack is so focused on serving the core communications needs of its users. In fact, if you were to ask a random user to describe it, they’d probably use a word like, “utilitarian.” That’s because Slack cuts out anything unrelated to the core use-case of the service (while, somehow, also coming across as fun, but that’s a story for another day).

This comes across in their password reset emails. There’s no fluffy dialog, there’s not even a greeting: there’s just a line of text and a button. Slack is aware that if someone can’t get into their account, there’s a serious problem. So, they provide immediate access to their account through one large, centered, prominent button. It’s a rule that’s worth remembering: password reset emails should be an extension of your company at large.

Example #3: The Security Focus of Dropbox

Companies live and die based on what’s in their files. It doesn’t matter what kind of files, or what kind of business, or even if the business is doing well. The truth is that people store their competitive advantages in files of many types and they need to keep them secure. That’s why so many companies use Dropbox, which prides itself on its ability to let anyone see your files, but only if you want those people to see them.

This explains why Dropbox is so focused on emphasizing security in their emails, even their password reset emails. They focus immediately on the possibility that the reset was started by someone else, they remind people not to forward this email, and they tell them what to do if they weren’t the ones who requested the reset. It’s a part of their brand, but it’s also reinforcing why people trust them with their files in the first place: security and responsibility.

Example #4: The Playfulness of Lingo

In a different vein, we have the company Lingo, which is all about visual assets being shared and collaborated on by a team. Again, courtesy of Really Good Emails, we see that Lingo’s password reset email puts a welcoming image front-and-center.

With the lock that literally has a party going on around it, you can tell that they don’t want people to be annoyed by the fact that they can’t get into their account, but instead want them to feel relaxed and welcomed back to the service. This is further reinforced by the warm colors of the email and the relaxed and conversational tone of the copy being used.

Red Flags to Avoid When Creating Password Reset Emails

Of course, resetting a password via email isn’t all about branding and making people feel good. There are also a few important things to include when designing, writing, and building the emails. They might go unnoticed, but they’re critically important.

Red Flag #1: The Token Doesn’t Expire

The first red flag to be aware of is an email with a token that doesn’t expire. If you send an email to someone to reset the password, you need to make sure that the link they click to reset it only works once, only works for a short period of time, and that no one gets access to it who isn’t authorized.

If you don’t do this, you’re going to end up with users who accidentally forward the email to a friend or mistakenly paste the link somewhere it shouldn’t go. After that, it’s anybody’s guess as to who really has access to the account or not.

Red Flag #2: There’s No On-Site Verification

Like with the token, you need to focus on keeping out bad actors. This means putting verification questions of the user’s identity on your website, even if they click on the token before it expires. Some people have access to email accounts that they shouldn’t, but that doesn’t mean they should be able to gain access to every account tied to that email address. It’s up to you to make sure only the right people can reset a password.

Red Flag #3: Their Email Hasn’t Been Verified

Finally, you need to avoid sending password reset emails to email addresses that haven’t been verified. If you don’t do this, some bad things can happen. For example, let’s say someone has the email address, linda@example.com. Now, Linda may sign up for your service and mistakenly enter the email address lnda@example.com, which belongs to someone else.

Down the road, Linda may forget her password and try to reset it. But then, the password reset email is sent to the wrong email address and the person who controls lnda@example.com is now able to gain access to an account registered on a service that they don’t belong to. This may be trivial for some companies, but if there is personally identifiable information, financial records, or any number of other pieces of private data stored in that account then issues can quickly come up that you’d probably rather avoid.