We rolled out a new password reset workflow yesterday. Why did we spend time on this? Sending passwords via email on reset and requiring security Q+A, ... these were normal for 2007 when we started this, but UX and opsec best practices has evolved. Users had been having trouble w/ the existing workflow, which meant user pain and our time to service - more time on support means less time on developing. What was the approach? Find a best practice to copy from the wild: Slack . Nitty Gritty We looked for the best experience and that was slack, so we copied 90% of what we saw. Magic links are not yet rolled out but are a stones throw if we so desire in the future. One difference between us and slack is that some of our usernames are not emails, so we had to account for that. No longer are secret question and answer requested on register, nor managed on account page. In helping users w/ password issues, users can now head to the forgot page and s