Web-based customer self-service password resets are a boon to any enterprise that manages user accounts. But with every on-line action, there are associated security risks. The reset process, if not executed correctly, can inadvertently reveal personal information that can then be used in an attack. Data that is aggregated should not be part of your password reset process. Few websites use effective security questions on password reset questions, such as ‘Who is your favorite sports team?’ Many sites will use an email address or the person’s mother’s maiden name to initiate the reset.”]
Source: https://www.csoonline.com/article/2119879/how-to-do-password-resets-right.html