Password reset tokens

Detects password reset tokens and recovery URLs in documents, emails, and logs. Reset tokens are high-risk credentials — a leaked token enables account takeover without knowing the current password. No Microsoft built-in SIT exists for this pattern.

Type

regex

Engine

boost_regex

Confidence

medium

Confidence justification

Medium confidence: long random strings are common in URLs and logs. Reset-context keywords are essential to distinguish password recovery tokens from session IDs, API tokens, and other opaque identifiers.

Jurisdictions

global

Regulations

GDPR, CCPA, HIPAA, PCI-DSS

Frameworks

ISO 27001, NIST CSF, SOC 2

Data categories

credentials, security

Scope

wide

Risk rating

9

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported

Pattern

(?:(?:reset|recover|forgot|confirm)[\s\-_]*(?:password|account|identity|email)[\s\S]{0,80}(?:token|code|key|link)[\s=:]\s*[A-Za-z0-9\-_]{20,}|(?:token|code|key)[\s=:]\s*[A-Fa-f0-9]{32,}|[?&](?:token|reset_token|recovery_token|confirmation_token)=[A-Za-z0-9\-_\.]{20,})

Corroborative evidence keywords

password reset, reset token, recovery token, forgot password, reset link, recovery link, confirmation token, reset your password, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie (+17 more)

Proximity: 300 characters

Should match

• Reset your password using this link: https://example.com/reset?token=a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 — Reset URL with token query parameter
• reset password token: 4f8a2b1c9d3e7f0a4b8c2d1e9f3a7b0c — Reset token as hex string with label
• forgot password recovery code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc123 — JWT-style recovery token
• ?recovery_token=Xk9mN2pL4qR7sT0uV3wY6zA1bC8dE5fG — Recovery token in URL parameter

Should not match

• session_id=abc123def456 — Session ID too short (under 20 chars)
• API response code: 200 OK — No token pattern present
• Your password has been changed successfully — Password context but no token value

Known false positives

• Session tokens and API tokens in application logs that are not password reset tokens. Mitigation: Require reset-specific keywords (reset, recover, forgot) in proximity. Generic token strings without reset context fire at low confidence only.
• OAuth authorization codes and CSRF tokens that share similar format. Mitigation: Reset-specific corroborative evidence distinguishes password recovery flows from general authentication tokens.
• Automated email templates containing password reset URL patterns without actual token values. Mitigation: Template exclusion filter rejects matches near sample/placeholder/example keywords.

References

• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities
• https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html