How to validate a password during reset flows
When a KiddyCash account holder initiates a password reset — whether they’ve forgotten their credentials or are responding to a suspected breach — the platform runs a verification layer before any new password is accepted. Understanding how that layer works helps you move through it without friction, and helps parents, school admins, and business owners support users in their care.
Why the verification step exists
Password resets are a common attack vector. KiddyCash protects family wallets, school allowance programs, and business disbursement accounts that may be linked to M-Pesa or hold balances in KES, so a bare email link isn’t enough. The reset flow requires proof that the person resetting is the legitimate account owner.
This is separate from PIN-level security. If you’re looking to update your transaction PIN rather than your login password, see how to change your account PIN or, if the PIN is lost entirely, how to reset a lost PIN.
The reset and validation flow
Navigate to https://kiddy.cash/reset-password to begin. The steps below describe what happens after you submit your registered email or phone number.
| Step | What happens | What to watch for |
|---|---|---|
| 1. Identity submission | You enter your email or KiddyCash-registered phone number | Must match the record on file; no aliases |
| 2. OTP dispatch | A one-time code is sent via SMS or email | Code expires in 10 minutes |
| 3. OTP entry | You enter the code on the verification screen | Three failed attempts locks the flow for 30 minutes |
| 4. KYC check (conditional) | Accounts flagged for review (new device, unusual location, high-value wallet) trigger an additional identity prompt | May request last transaction amount or KYC document confirmation |
| 5. New password entry | You set and confirm the new password | Rules enforced: 8+ characters, one uppercase, one number, one symbol |
| 6. Session invalidation | All active sessions are terminated | Re-login required on all devices |
Password rules and common rejection reasons
KiddyCash enforces the following at the validation stage. Passwords that fail these checks are rejected before the change is committed:
- Reuse block — Cannot match any of your last five passwords
- Similarity check — Password must not closely resemble your display name, email prefix, or registered phone number
- Breached credential check — Passwords found in known breach databases are rejected automatically
- Length cap — Maximum 64 characters; anything longer is truncated silently on some older integrations, causing login failure
If your account is on a subscription plan with business or school features enabled, the administrator may have set stricter policy rules. Check with your org admin if you keep hitting rejections that the standard rules don’t explain. For context on how subscription tiers affect account-level settings, this overview of what’s new in subscriptions and a closer look at how subscriptions work cover the relevant feature changes.
After a successful reset
Once the new password clears validation:
- You receive a confirmation SMS or email (depending on your notification preference)
- Any linked M-Pesa auto-debit or recurring allowance disbursement continues uninterrupted — payment credentials are stored separately from login credentials
- Badges tied to account security milestones (like the Secure Account badge) are re-evaluated within 24 hours
If you do not receive the confirmation, do not attempt the reset again immediately. Wait 10 minutes, check spam folders, and confirm your registered contact details in account settings first.