I've read through these 2 links about forgot password and what would be the better way to reset password based on several conditions and situations...
Forgot Password: what is the best method of implementing a forgot password function? What is the best "forgot my password" method?
But I have a slightly different matter at hand.
We are thinking of having a reset password / forget password thing but the challenge is that we have users who belong to group email
e.g. engineering@mycorporate.com, h.resource@mycorporate.com, etc
Each group email has many users whose email are part of the group, and they need to use the group email to sign in to a local intranet system.
If we have a forget password link for them to reset password, I'm seeing a few possibilities here:
User keys in group email, verify group email, send a link with some unique string but temporary for 1 hour, click on unique link from email, put in new password and confirm new password.
User keys in group email, verify group email, send new randomly-generated password to group email, requires them to sign in within 1 hour and to change the password.
But somehow the issue still comes from the group email thing that any users belong to the group will know of the random password (point no.2)
But then, if using either method point no.1 or point no.2, Person Y carries out the forget and reset password, Person Z or any other won't know of the newly reset password...
What do you think?