This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Talk:Forgot Password Cheat Sheet
From OWASP
Logging
I'm surprised to see that logging isn't a consideration in password reset functionality. Knowing that users attempted a password reset, whether the reset was successful or failed, recording details of reset sessions including IP address and other details would all seem like great suggestions.
More on Logging
I think adding logging info like you described is a good idea. Go ahead and add it in!
- Jim Manico Sept 2, 2015