Photo by Markus Spiske on Unsplash

It's 11 PM on a Thursday. You're trying to log into your bank account to pay a bill before midnight, but your fingers fumbled the password. No problem, right? You'll just reset it. Except what happens next is enough to make you want to throw your phone across the room.

First, there's the email verification. Fine. You open your email, click the link. But wait—the link expires in 15 minutes, and naturally, you didn't see the email immediately. You request another one. It arrives. You click it. Now you're being asked security questions about your mother's maiden name, your first pet, and the street you grew up on. Questions you set up five years ago and can barely remember. After three failed attempts, you're locked out for 24 hours.

This isn't just an inconvenience. This is corporate security theater at its worst, and it's happening across virtually every platform that holds your money, data, or identity.

The Unnecessary Complexity Nobody Asked For

Here's what bothers me most: the people who designed these byzantine password reset processes probably never actually use them. They sit in meetings debating security protocols without ever experiencing the real-world frustration they're creating for millions of users trying to access accounts they already own.

I recently helped my 67-year-old mother reset her email password. The process involved: entering her recovery email address, waiting for a verification code, answering three security questions, receiving a text message with a second code, and then creating a new password that had to include uppercase letters, lowercase letters, numbers, special characters, but NOT the last 12 passwords she'd ever used (how do they even track that?). The entire process took 42 minutes. Forty-two minutes to access an email account that contains no sensitive financial information whatsoever.

Most password reset systems operate under the assumption that every reset is a potential account hijacking attempt. So they build in layer upon layer of verification, each one reducing the likelihood that an actual hacker succeeds, but exponentially increasing the likelihood that a legitimate user gives up in frustration.

When Security Becomes Psychological Torture

The irony is brutal: the security measures designed to protect you are often more vulnerable than the passwords themselves. Those security questions? They're tied to information that's often publicly available or easily guessable. Your first pet's name might be on your Instagram from 2012. Your mother's maiden name is probably findable through genealogy websites. Your high school mascot? Check your old yearbook photos online.

A 2021 study from the University of New Hampshire found that 43% of security questions could be answered accurately by someone with just basic information about the target—the kind of information you might find on social media or from a casual conversation.

Yet companies continue relying on these questions as a primary authentication method. Why? Because they're cheap to implement and create the illusion of security without the expense of implementing better systems like biometric authentication or hardware keys.

Meanwhile, actual security best practices get buried. Two-factor authentication is sometimes optional. Recovery email addresses are sometimes not verified properly. And the whole system grinds to a halt if you dare to move, change your phone number, or get married and change your last name.

The Companies That Do It Right (And They're Rare)

There are exceptions, though they're uncomfortably rare. Apple's approach is surprisingly straightforward. Your recovery key is printed out and stored safely. You can reset your Apple ID password with your device itself. It's faster and honestly more secure because it relies on something you physically own rather than trivia questions.

Google lets you use your phone to verify your identity—just confirm that yes, it's really you by tapping a notification on your actual device. It's simple, quick, and nearly impossible to fake unless someone has stolen your phone (in which case you have bigger problems anyway).

But these companies are the outliers. Most services seem to operate under the logic that the more steps they add, the more secure things become. That's not how psychology works. That's not how user experience works. That's actually how you convince people to reuse passwords across multiple sites because they can't handle resetting them anymore.

What Needs to Change

Companies need to stop treating password resets like a security test and start treating them like a necessary feature for people who legitimately forgot their password. Because—and this is important—the vast majority of people requesting password resets are not hackers. They're you. They're me. They're busy humans who can't possibly remember 47 different passwords.

The solution isn't harder security questions. It's not more verification steps. It's actually implementing modern authentication standards that are both more secure AND faster. Passkeys. Biometric verification. Device-based authentication. Things that eliminate passwords entirely rather than just making the reset process more painful.

Until then, we're stuck in a system where we're punished for forgetting our own passwords, where we have to prove our identity through information that's neither private nor reliable, and where the people who built the system seem to have never experienced it themselves.

If you want to see how far companies will go to overcomplicate things users already own, check out The Subscription Graveyard article about how companies remove features from services you're paying for. Same energy, different format.

The password reset trap is a perfect microcosm of a larger problem: companies prioritizing perceived security over actual usability. And we're all paying the price in frustration, time, and the occasional smashed phone.