{"id":152,"date":"2025-08-26T13:49:55","date_gmt":"2025-08-26T13:49:55","guid":{"rendered":"https:\/\/1v0.net\/blog\/?p=152"},"modified":"2025-08-26T13:50:48","modified_gmt":"2025-08-26T13:50:48","slug":"implementing-password-reset-in-laravel-12-without-packages","status":"publish","type":"post","link":"https:\/\/1v0.net\/blog\/implementing-password-reset-in-laravel-12-without-packages\/","title":{"rendered":"Implementing Password Reset in Laravel 12 Without Packages"},"content":{"rendered":"\n

A great user experience includes a safe way to recover accounts. In this guide, you\u2019ll build a complete Password Reset flow in Laravel 12 \u2014 without using packages<\/strong>. We\u2019ll cover the database, routes, controller, mailer, Blade UI, and important security measures like token hashing, throttling, expirations, and single-use links. Every block includes explanations so beginners won\u2019t get lost.<\/p>\n\n\n\n

By the end, users will be able to request a reset link, receive an email with a secure one-time URL, and set a new password \u2014 all implemented with clean Laravel conventions.<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/div>\n\n\n\n

1 – What is a Password Reset flow?<\/strong><\/h2>\n\n\n\n

<\/p>\n\n\n\n

A password reset flow lets a user prove ownership of their account (via email) and set a new password even if they forgot the old one. The core idea: the app generates a short-lived, single-use token<\/strong>, sends it to the user\u2019s email, and only someone with access to that mailbox can redeem it to change the password. We\u2019ll build this end to end with secure defaults.<\/p>\n\n\n\n

<\/p>\n\n\n\n\n

<\/div>\n\n\n\n\n

2 – Prerequisites<\/strong><\/h2>\n\n\n\n

<\/p>\n\n\n\n

    \n
  • Laravel 12 project (PHP 8.2+) with a working database connection in .env<\/code><\/li>\n
  • Users table with email<\/code> and password<\/code> columns<\/li>\n
  • Mail configured in .env<\/code> (SMTP, Mailgun, etc.) so the app can send emails<\/li>\n<\/ul>\n\n\n\n

    <\/p>\n\n\n\n\n

    <\/div>\n\n\n\n\n

    3 – Create the password reset table<\/strong><\/h2>\n\n\n\n

    <\/p>\n\n\n

    php artisan make:migration create_password_resets_table\n<\/span><\/span><\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n\n
    Edit the migration to store the email, a hashed<\/em> token (safer than plain text), and a timestamp to expire tokens.<\/p>\n\n\n
    \/\/ database\/migrations\/xxxx_xx_xx_xxxxxx_create_password_resets_table.php<\/span>\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Database<\/span>\\Migrations<\/span>\\Migration<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Database<\/span>\\Schema<\/span>\\Blueprint<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\Schema<\/span>;\n<\/span><\/span>\n<\/span><\/span>return<\/span> new<\/span> class<\/span> extends<\/span> Migration<\/span> <\/span>{\n<\/span><\/span>    public<\/span> function<\/span> up<\/span>()<\/span>: void<\/span> <\/span>{\n<\/span><\/span>        Schema::create('password_resets'<\/span>, function<\/span> (Blueprint $table)<\/span> <\/span>{\n<\/span><\/span>            $table->string('email'<\/span>)->index();\n<\/span><\/span>            $table->string('token'<\/span>);             \/\/ store hashed token here<\/span>\n<\/span><\/span>            $table->timestamp('created_at'<\/span>)->nullable();\n<\/span><\/span>        });\n<\/span><\/span>    }\n<\/span><\/span>\n<\/span><\/span>    public<\/span> function<\/span> down<\/span>()<\/span>: void<\/span> <\/span>{\n<\/span><\/span>        Schema::dropIfExists('password_resets'<\/span>);\n<\/span><\/span>    }\n<\/span><\/span>};\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    We\u2019ll store a hashed<\/strong> version of the token (HMAC) so if the DB were leaked, attackers cannot use reset links. The raw token only lives in the user\u2019s email link.<\/p>\n\n\n
    php artisan migrate\n<\/span><\/span><\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n\n
    <\/p>\n\n\n\n\n
    <\/div>\n\n\n\n\n
    4 – Configure Mail (so emails actually send)<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n
    # .env (example for SMTP)<\/span>\nMAIL_MAILER=smtp\nMAIL_HOST=smtp.yourprovider.com\nMAIL_PORT=587<\/span>\nMAIL_USERNAME=your_user\nMAIL_PASSWORD=your_password\nMAIL_ENCRYPTION=tls\nMAIL_FROM_ADDRESS=no-reply@your-domain.com\nMAIL_FROM_NAME=\"Your App\"<\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    Make sure these values are correct for your provider. Incorrect mail settings are the #1 reason reset flows \u201cdon\u2019t work\u201d.<\/p>\n\n\n\n
    <\/p>\n\n\n\n\n
    <\/div>\n\n\n\n\n
    5 – Routes (guest-only flow with throttling)<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n
    \/\/ routes\/web.php<\/span>\n<\/span><\/span>use<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Auth<\/span>\\PasswordResetController<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\Route<\/span>;\n<\/span><\/span>\n<\/span><\/span>\/\/ Show \"Forgot Password\" form & send reset link<\/span>\n<\/span><\/span>Route::middleware(['guest'<\/span>, 'throttle:6,1'<\/span>])->group(function<\/span> ()<\/span> <\/span>{\n<\/span><\/span>    Route::get('\/forgot-password'<\/span>, [PasswordResetController::class, 'requestForm'<\/span>])\n<\/span><\/span>        ->name('password.request'<\/span>);\n<\/span><\/span>\n<\/span><\/span>    Route::post('\/forgot-password'<\/span>, [PasswordResetController::class, 'sendLink'<\/span>])\n<\/span><\/span>        ->name('password.email'<\/span>);\n<\/span><\/span>\n<\/span><\/span>    \/\/ User lands here from email link (contains token)<\/span>\n<\/span><\/span>    Route::get('\/reset-password\/{token}'<\/span>, [PasswordResetController::class, 'resetForm'<\/span>])\n<\/span><\/span>        ->name('password.reset'<\/span>);\n<\/span><\/span>\n<\/span><\/span>    \/\/ Submit new password<\/span>\n<\/span><\/span>    Route::post('\/reset-password'<\/span>, [PasswordResetController::class, 'reset'<\/span>])\n<\/span><\/span>        ->name('password.update'<\/span>);\n<\/span><\/span>});\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    What this does<\/strong>: all four routes are guest-only and rate-limited (6 attempts\/minute) to reduce abuse. The GET routes show forms; the POST routes perform actions.<\/p>\n\n\n\n
    <\/p>\n\n\n\n\n
    <\/div>\n\n\n\n\n
    6 – Mailable for the reset link<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n
    php artisan make:mail ResetPasswordMail --markdown=mail.reset-password<\/code><\/span><\/pre>\n\n\n
    This creates a mailable and a Markdown email template. We\u2019ll pass a signed, single-use style URL (with raw token) to the email template.<\/p>\n\n\n
    \/\/ app\/Mail\/ResetPasswordMail.php<\/span>\n<\/span><\/span>namespace<\/span> App<\/span>\\Mail<\/span>;\n<\/span><\/span>\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Bus<\/span>\\Queueable<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Mail<\/span>\\Mailable<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Queue<\/span>\\SerializesModels<\/span>;\n<\/span><\/span>\n<\/span><\/span>class<\/span> ResetPasswordMail<\/span> extends<\/span> Mailable<\/span><\/span>\n<\/span><\/span><\/span>{\n<\/span><\/span>    use<\/span> Queueable<\/span>, SerializesModels<\/span>;\n<\/span><\/span>\n<\/span><\/span>    public<\/span> string $url;\n<\/span><\/span>\n<\/span><\/span>    public<\/span> function<\/span> __construct<\/span>(string $url)<\/span><\/span>\n<\/span><\/span>    <\/span>{\n<\/span><\/span>        $this<\/span>->url = $url;\n<\/span><\/span>    }\n<\/span><\/span>\n<\/span><\/span>    public<\/span> function<\/span> build<\/span>()<\/span><\/span>\n<\/span><\/span>    <\/span>{\n<\/span><\/span>        return<\/span> $this<\/span>->subject('Reset your password'<\/span>)\n<\/span><\/span>            ->markdown('mail.reset-password'<\/span>, [\n<\/span><\/span>                'url'<\/span> => $this<\/span>->url\n<\/span><\/span>            ]);\n<\/span><\/span>    }\n<\/span><\/span>}\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n
    <!-- resources\/views\/mail\/reset-password.blade.php -->\n<\/span><\/span>@component('mail::message'<\/span>)\n<\/span><\/span># Reset your password<\/span>\n<\/span><\/span>\n<\/span><\/span>Click the button below to choose a new<\/span> password. If<\/span> you didn\u2019t request this, you can ignore this email.\n<\/span><\/span>\n<\/span><\/span>@component('mail::button'<\/span>, ['url'<\/span> => $url])\n<\/span><\/span>Reset Password\n<\/span><\/span>@endcomponent\n<\/span><\/span>\n<\/span><\/span>This link will expire shortly for<\/span> your security.\n<\/span><\/span>\n<\/span><\/span>Thanks,\n<\/span><\/span>\n<\/span><\/span>{{ config('app.name'<\/span>) }}\n<\/span><\/span>@endcomponent\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    How it works<\/strong>: the controller will generate a raw token (random string), store a hashed version in DB, and include the raw token in the URL emailed to the user. The form that receives the token will recompute the hash and compare to DB.<\/p>\n\n\n\n
    <\/p>\n\n\n\n\n
    <\/div>\n\n\n\n\n
    7 – Controller: generate, email, verify, and reset<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n
    \/\/ app\/Http\/Controllers\/Auth\/PasswordResetController.php<\/span>\n<\/span><\/span>namespace<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Auth<\/span>;\n<\/span><\/span>\n<\/span><\/span>use<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Controller<\/span>;\n<\/span><\/span>use<\/span> App<\/span>\\Mail<\/span>\\ResetPasswordMail<\/span>;\n<\/span><\/span>use<\/span> App<\/span>\\Models<\/span>\\User<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Http<\/span>\\Request<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\DB<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\Hash<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\Mail<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Support<\/span>\\Str<\/span>;\n<\/span><\/span>\n<\/span><\/span>class<\/span> PasswordResetController<\/span> extends<\/span> Controller<\/span><\/span>\n<\/span><\/span><\/span>{\n<\/span><\/span>    \/\/ 1) Show \"Forgot Password\" form<\/span>\n<\/span><\/span>    public<\/span> function<\/span> requestForm<\/span>()<\/span><\/span>\n<\/span><\/span>    <\/span>{\n<\/span><\/span>        return<\/span> view('auth.forgot-password'<\/span>);\n<\/span><\/span>    }\n<\/span><\/span>\n<\/span><\/span>    \/\/ 2) Accept email, generate token, store hashed token, email link<\/span>\n<\/span><\/span>    public<\/span> function<\/span> sendLink<\/span>(Request $request)<\/span><\/span>\n<\/span><\/span>    <\/span>{\n<\/span><\/span>        $request->validate([\n<\/span><\/span>            'email'<\/span> => 'required|email'<\/span>,\n<\/span><\/span>        ]);\n<\/span><\/span>\n<\/span><\/span>        \/\/ Always respond the same to avoid leaking if email exists<\/span>\n<\/span><\/span>        $email = (string) $request->input('email'<\/span>);\n<\/span><\/span>\n<\/span><\/span>        \/\/ Create raw token and hashed token<\/span>\n<\/span><\/span>        $rawToken   = Str::random(64<\/span>);\n<\/span><\/span>        $hashedToken = hash_hmac('sha256'<\/span>, $rawToken, config('app.key'<\/span>));\n<\/span><\/span>\n<\/span><\/span>        \/\/ Upsert the record<\/span>\n<\/span><\/span>        DB::table('password_resets'<\/span>)->updateOrInsert(\n<\/span><\/span>            ['email'<\/span> => $email],\n<\/span><\/span>            ['token'<\/span> => $hashedToken, 'created_at'<\/span> => now()]\n<\/span><\/span>        );\n<\/span><\/span>\n<\/span><\/span>        \/\/ Build the URL user will click (token in path, email as query)<\/span>\n<\/span><\/span>        $url = route('password.reset'<\/span>, $rawToken) . '?email='<\/span> . urlencode($email);\n<\/span><\/span>\n<\/span><\/span>        \/\/ Send email (do not reveal whether email exists)<\/span>\n<\/span><\/span>        Mail::to($email)->send(new<\/span> ResetPasswordMail($url));\n<\/span><\/span>\n<\/span><\/span>        return<\/span> back()->with('status'<\/span>, 'If we found an account with that email, a reset link has been sent.'<\/span>);\n<\/span><\/span>    }\n<\/span><\/span>\n<\/span><\/span>    \/\/ 3) Show \"Reset Password\" form (user clicked link)<\/span>\n<\/span><\/span>    public<\/span> function<\/span> resetForm<\/span>(string $token, Request $request)<\/span><\/span>\n<\/span><\/span>    <\/span>{\n<\/span><\/span>        $email = (string) $request->query('email'<\/span>, ''<\/span>);\n<\/span><\/span>        return<\/span> view('auth.reset-password'<\/span>, compact('token'<\/span>, 'email'<\/span>));\n<\/span><\/span>    }\n<\/span><\/span>\n<\/span><\/span>    \/\/ 4) Validate token, update password, delete token<\/span>\n<\/span><\/span>    public<\/span> function<\/span> reset<\/span>(Request $request)<\/span><\/span>\n<\/span><\/span>    <\/span>{\n<\/span><\/span>        $data = $request->validate([\n<\/span><\/span>            'email'<\/span> => 'required|email'<\/span>,\n<\/span><\/span>            'token'<\/span> => 'required'<\/span>,\n<\/span><\/span>            'password'<\/span> => 'required|confirmed|min:8'<\/span>,\n<\/span><\/span>        ]);\n<\/span><\/span>\n<\/span><\/span>        \/\/ Recreate hashed token from raw token<\/span>\n<\/span><\/span>        $hashedToken = hash_hmac('sha256'<\/span>, $data['token'<\/span>], config('app.key'<\/span>));\n<\/span><\/span>\n<\/span><\/span>        \/\/ Look up the reset row<\/span>\n<\/span><\/span>        $row = DB::table('password_resets'<\/span>)\n<\/span><\/span>            ->where('email'<\/span>, $data['email'<\/span>])\n<\/span><\/span>            ->where('token'<\/span>, $hashedToken)\n<\/span><\/span>            ->first();\n<\/span><\/span>\n<\/span><\/span>        \/\/ Fail if token not found or expired (e.g., > 60 minutes old)<\/span>\n<\/span><\/span>        if<\/span> (! $row || now()->diffInMinutes($row->created_at) > 60<\/span>) {\n<\/span><\/span>            return<\/span> back()->withErrors(['email'<\/span> => 'This reset link is invalid or has expired.'<\/span>]);\n<\/span><\/span>        }\n<\/span><\/span>\n<\/span><\/span>        \/\/ Update user password<\/span>\n<\/span><\/span>        $user = User::where('email'<\/span>, $data['email'<\/span>])->first();\n<\/span><\/span>        if<\/span> (! $user) {\n<\/span><\/span>            \/\/ Generic failure message (don\u2019t reveal existence)<\/span>\n<\/span><\/span>            return<\/span> back()->withErrors(['email'<\/span> => 'This reset link is invalid or has expired.'<\/span>]);\n<\/span><\/span>        }\n<\/span><\/span>\n<\/span><\/span>        $user->forceFill([\n<\/span><\/span>            'password'<\/span> => Hash::make($data['password'<\/span>]),\n<\/span><\/span>        ])->save();\n<\/span><\/span>\n<\/span><\/span>        \/\/ Invalidate token (single-use)<\/span>\n<\/span><\/span>        DB::table('password_resets'<\/span>)->where('email'<\/span>, $data['email'<\/span>])->delete();\n<\/span><\/span>\n<\/span><\/span>        \/\/ Optionally logout all sessions by rotating remember_token<\/span>\n<\/span><\/span>        $user->setRememberToken(Str::random(60<\/span>));\n<\/span><\/span>        $user->save();\n<\/span><\/span>\n<\/span><\/span>        return<\/span> redirect()->route('login'<\/span>)->with('status'<\/span>, 'Password updated successfully. You can log in now.'<\/span>);\n<\/span><\/span>    }\n<\/span><\/span>}\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    Highlights:<\/strong> we never<\/em> reveal whether an email exists; tokens are HMAC-hashed<\/strong> in DB; links expire (60 minutes example); tokens are single-use<\/strong>; we rotate the user\u2019s remember token to invalidate existing sessions.<\/p>\n\n\n\n
    <\/p>\n\n\n\n\n
    <\/div>\n\n\n\n\n
    8 – UI: the two forms (Forgot & Reset)<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n
    <!-- resources\/views\/auth\/forgot-password.blade.php -->\n<\/span><\/span>@extends('layouts.app'<\/span>)\n<\/span><\/span>\n<\/span><\/span>@section('content'<\/span>)\n<\/span><\/span><div class<\/span>=\"container<\/span> py<\/span>-5\"><\/span>\n<\/span><\/span>  <h1<\/span> class<\/span>=\"h4<\/span> mb<\/span>-3\">Forgot<\/span> your<\/span> password<\/span>?<\/h1<\/span>><\/span>\n<\/span><\/span><\/span>\n<\/span><\/span>  @if<\/span> (session<\/span>('status<\/span>'))<\/span>\n<\/span><\/span>    <div<\/span> class<\/span>=\"alert<\/span> alert<\/span>-success<\/span>\"><\/span>{{ session('status'<\/span>) }}<\/div>\n<\/span><\/span>  @endif<\/span>\n<\/span><\/span>\n<\/span><\/span>  <form method=\"POST\"<\/span> action=\"{{ route('password.email') }}\"<\/span> class<\/span>=\"card<\/span> card<\/span>-body<\/span>\"><\/span>\n<\/span><\/span>    @csrf<\/span><\/span>\n<\/span><\/span>    <label<\/span> class<\/span>=\"form<\/span>-label<\/span>\">Email<\/span><\/label<\/span>><\/span>\n<\/span><\/span>    <input<\/span> class<\/span>=\"form<\/span>-control<\/span> mb<\/span>-2\" type<\/span>=\"email<\/span>\" name<\/span>=\"email<\/span>\" value<\/span>=\"<\/span>{{ old('email'<\/span>) }}\" required autocomplete=\"<\/span>email\"><\/span>\n<\/span><\/span>    @error('email') <div class=\"<\/span>text-danger small\">{{ $message }}<\/div> @enderror<\/span><\/span>\n<\/span><\/span><\/span><\/span>\n<\/span><\/span>    <button class=\"<\/span>btn btn-primary mt-2<\/span>\">Email me a reset link<\/button><\/span><\/span>\n<\/span><\/span>  <\/form><\/span><\/span>\n<\/span><\/span><\/div><\/span><\/span>\n<\/span><\/span>@endsection<\/span><\/span>\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    This is a simple, accessible form that asks for the email and shows success or validation messages. The status message is always neutral (doesn\u2019t leak if the email exists).<\/p>\n\n\n
    <!-- resources\/views\/auth\/reset-password.blade.php -->\n<\/span><\/span>@extends('layouts.app'<\/span>)\n<\/span><\/span>\n<\/span><\/span>@section('content'<\/span>)\n<\/span><\/span><div class<\/span>=\"container<\/span> py<\/span>-5\"><\/span>\n<\/span><\/span>  <h1<\/span> class<\/span>=\"h4<\/span> mb<\/span>-3\">Choose<\/span> a<\/span> new<\/span> password<\/span><\/h1<\/span>><\/span>\n<\/span><\/span><\/span>\n<\/span><\/span>  @if<\/span> (session<\/span>('status<\/span>'))<\/span>\n<\/span><\/span>    <div<\/span> class<\/span>=\"alert<\/span> alert<\/span>-success<\/span>\"><\/span>{{ session('status'<\/span>) }}<\/div>\n<\/span><\/span>  @endif<\/span>\n<\/span><\/span>\n<\/span><\/span>  <form method=\"POST\"<\/span> action=\"{{ route('password.update') }}\"<\/span> class<\/span>=\"card<\/span> card<\/span>-body<\/span>\"><\/span>\n<\/span><\/span>    @csrf<\/span><\/span>\n<\/span><\/span>    <input<\/span> type<\/span>=\"hidden<\/span>\" name<\/span>=\"token<\/span>\" value<\/span>=\"<\/span>{{ $token }}\"><\/span>\n<\/span><\/span><\/span><\/span>\n<\/span><\/span>    <label class=\"<\/span>form-label\">Email<\/label><\/span><\/span>\n<\/span><\/span>    <input class=\"<\/span>form-control mb-2<\/span>\" type=\"<\/span>email\" name=\"<\/span>email\" value=\"<\/span>{{ old('email'<\/span>, $email ?? ''<\/span>) }}\" required autocomplete=\"<\/span>email\"><\/span><\/span>\n<\/span><\/span>    @error('email') <div class=\"<\/span>text-danger small\">{{ $message }}<\/div> @enderror<\/span><\/span>\n<\/span><\/span><\/span><\/span>\n<\/span><\/span>    <label class=\"<\/span>form-label\">New password<\/label><\/span><\/span>\n<\/span><\/span>    <input class=\"<\/span>form-control mb-2<\/span>\" type=\"<\/span>password\" name=\"<\/span>password\" required autocomplete=\"<\/span>new<\/span>-password\"><\/span><\/span>\n<\/span><\/span>    @error('password') <div class=\"<\/span>text-danger small\">{{ $message }}<\/div> @enderror<\/span><\/span>\n<\/span><\/span><\/span><\/span>\n<\/span><\/span>    <label class=\"<\/span>form-label\">Confirm new password<\/label><\/span><\/span>\n<\/span><\/span>    <input class=\"<\/span>form-control mb-2<\/span>\" type=\"<\/span>password\" name=\"<\/span>password_confirmation\" required autocomplete=\"<\/span>new<\/span>-password\"><\/span><\/span>\n<\/span><\/span><\/span><\/span>\n<\/span><\/span>    <button class=\"<\/span>btn btn-success mt-2<\/span>\">Update Password<\/button><\/span><\/span>\n<\/span><\/span>  <\/form><\/span><\/span>\n<\/span><\/span><\/div><\/span><\/span>\n<\/span><\/span>@endsection<\/span><\/span>\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    The reset form includes the hidden token<\/code>, email, and both password fields with confirmation. Errors appear inline so users immediately know what to fix.<\/p>\n\n\n\n
    <\/p>\n\n\n\n\n
    <\/div>\n\n\n\n\n
    9 – Extra hardening (recommended)<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n\n