How long must a password reset token remain valid?

The answer really depends on the complexity of your restart token. The goal should be that you can not guess a reset token in the given valid time.

For example, if your reset token has 5 characters, only digits, and your server is able to respond to 100 requests per second with no speed limit, it is likely that 15 minutes is too long. Just think about the possible attack:

  1. An attacker restores his own password to see how the links work.
  2. The attacker restores his victim's account, knowing he has n minutes of time.
  3. The attacker calls the password reset page with more or fewer random keys until it finds the correct one.

This, especially step 3, should not be possible in the indicated time. That means that if you have a large enough universe to draw reset keys (like 32 alphanumeric characters), as well as the speed limitation in your application, even one day will not affect your security much. You can also (and must) choose to inform your user with a second email / message about the change of password made. Also keep in mind that your application can support very long reboot tokens without compromising the user experience, since you never have to write it.

Edition: Of course, you must calculate so that only a very small percentage of keys can be tested in the given time. For example, a risk of 0.000001% of guessing the correct key in the given time interval could be an acceptable risk. A small amount of risk is something that you will have to accept in any way.