Use a secure password reset flow instead of emailing the password itself
Send a password reset link with a single-use token
Set the token to expire after a short time
Verify the user’s identity before allowing a reset
Use HTTPS for all reset and login pages
Notify the user by email that a password change was requested
Include account security details such as time and approximate location of the request
Do not include the new password in the email
Do not send the current password by email
Ask the user to create a new password on a secure page
Enforce strong password requirements
Invalidate old sessions after the password is changed
Log the password change event for security monitoring
Advise the user to contact support if they did not request the change