Which of the following is true about password resets?

Automated password reset flows sit at a sensitive security junction because they automatically change credentials based on a verification channel (like email or SMS). If that channel is compromised—email access, SIM swap, phishing, or token interception—the attacker can seize a reset token and take over the account without the user present. The danger scales with how the reset process is designed: long‑lived tokens, weak or no binding to the real user, insufficient identity checks, lack of rate limiting, or insecure delivery channels all open the door to abuse. Properly securing automated resets requires short‑lived, single‑use tokens, strong channels, binding the reset to the specific user session, multi‑factor verification where feasible, and monitoring for unusual activity. When these safeguards fail or are absent, automated resets become a major risk, which is why they’re considered dangerous in practice. Human resets aren’t inherently dangerous if identity verification is strong, but the option highlights the automation’s potential for large‑scale abuse.