Forgot Password Flow Testing Checklist (With Free Template)

Introduction

When users forget their password, they need a quick and secure way to get back into their account. A smooth "Forgot Password" flow builds trust — and if it’s broken or confusing, it can lead to frustration and security issues.

In this blog, you’ll find a checklist to help you test the Forgot Password flow properly. We’ve also included a free template to make your QA process easier. If you liked our login and registration testing guides, this one completes the set!

What Is the Forgot Password Flow?

It’s the process that lets users reset their password when they can’t log in. Usually, it goes like this:

1. Click "Forgot Password?"
2. Enter email or username
3. Get a reset link or OTP via email/SMS
4. Set a new password
5. See a success message or get redirected to login

Some apps also add extra steps like verifying identity or using two-factor authentication.

Forgot Password Flow Testing Checklist

UI/UX Testing

• Is the "Forgot Password" link easy to find?
• Are the labels, buttons, and messages clear?
• Does the layout look good on different screen sizes?
• Is it easy to navigate with a keyboard?

Input Validation

• Does the email field accept only valid formats?
• Do users get helpful error messages for empty or incorrect input?
• Does the system respond safely to non-registered emails?

Email/OTP Handling

• Is the email/OTP sent to the right address or number?
• Is the message clear and on-brand?
• Does the reset link/OTP expire after a short time?
• Is the token single-use only?
• Are old or invalid tokens handled properly?

Security Testing

• Are there limits to prevent spam or repeated attempts?
• Is CAPTCHA used where needed?
• Is the reset link secure and encrypted?
• Does the system avoid confirming if an email exists?

Reset Password Form

• Are password rules clear and enforced?
• Is there real-time feedback while typing?
• Does the "confirm password" field work properly?
• Are error messages easy to understand?

Success Confirmation

• Is there a clear success message?
• Does the user return to the login screen or get logged in?
• (Optional) Is a confirmation email sent?

Edge Cases

• Can users reuse old passwords? (should be restricted)
• Do expired or used links show helpful error messages?
• Are too many reset requests blocked or delayed?
• What happens if users try to reset while already logged in?

Final Thoughts

The "Forgot Password" flow may seem minor, but it’s a key part of both user experience and security. Download the Free Checklist to cover the basics and avoid unwanted surprises.

Check out our other checklists for Login Pages and User Registration — and don’t forget to share this one with your QA team!

Image