There are a few requirements for a good password reset token:
- user should be able to reset their password with the token they receive from in an email
- the token should not be guessable
- the token should expire
- user should not be able to re-use token
Ideally, the web framework of your choice should already have a built-in way to generate reset tokens. However, we use Play and it does not provide a way to do that, so we have to roll our own.