Password Reset with End-to-End Encryption | PopaDex

Password Reset with End-to-End Encryption

Learn how password reset works with E2EE and the critical importance of your recovery key

Password reset in PopaDex works differently depending on whether you have End-to-End Encryption (E2EE) enabled. This guide explains both scenarios and the critical role of recovery keys.

Two Password Reset Scenarios

Without E2EE (Standard Reset)

If E2EE is not enabled:

  1. Click “Forgot Password?” on login
  2. Receive reset email
  3. Create new password
  4. All your data remains accessible

This is the standard password reset you’re familiar with from other services.

With E2EE (Recovery Key Required)

If E2EE is enabled:

  1. Click “Forgot Password?” on login
  2. Receive reset email
  3. Must provide recovery key
  4. Create new password
  5. Data is re-encrypted with new password
  6. All your data remains accessible

Without recovery key: You can still reset your password, but all encrypted data will be permanently lost.

Why Recovery Keys Are Required

This isn’t a limitation - it’s the fundamental security guarantee of E2EE:

The Security Trade-off

Standard account security:

  • Company can recover your password
  • Company has access to your data
  • Convenient but less private

E2EE security:

  • PopaDex cannot recover your password
  • PopaDex has zero access to your data
  • More secure but requires recovery key backup

Your recovery key is proof that you’re the legitimate owner of the encrypted data.

Standard Password Reset (No E2EE)

Step-by-Step Process

  1. Initiate Reset
    • Go to https://app.popadex.com/login
    • Click “Forgot your password?”
    • Enter your email address
    • Click “Send Reset Link”
  2. Check Your Email
    • Look for email from [email protected]
    • Subject: “Reset Your PopaDex Password”
    • Check spam folder if not received within 5 minutes
  3. Click Reset Link
    • Link is valid for 24 hours
    • Opens secure reset page
    • Shows your email address
  4. Create New Password
    • Enter new password (minimum 12 characters)
    • Confirm new password
    • Click “Reset Password”
  5. Sign In
    • Automatically redirected to login
    • Use new password
    • All data intact

Reset links expire after:

  • 24 hours from request
  • Single use (cannot be reused)
  • Replaced if you request another reset

E2EE Password Reset (Recovery Key Required)

Step-by-Step Process

  1. Initiate Reset
    • Go to login page
    • Click “Forgot your password?”
    • Enter your email
    • Click “Send Reset Link”
  2. Check Your Email
    • Email from [email protected]
    • Subject includes “E2EE Account” indicator
    • Contains important recovery key reminder
  3. Click Reset Link
    • Opens secure reset page
    • Shows warning about recovery key requirement
  4. Enter Recovery Key 
    RXKE-4M2N-7P9Q-6H3L-8VWT-2KJF-5DCG-9BNM-7XSW-4RPT
    • Paste or type your 50-character recovery key
    • System validates key format
    • Checksum validation prevents typos
  5. Create New Password
    • Enter new password (minimum 12 characters)
    • Confirm new password
    • Click “Reset Password”
  6. Re-encryption Process
    • Your data is re-encrypted with new password
    • May take 10-30 seconds depending on data volume
    • Progress indicator shows status
  7. Sign In
    • Redirected to login
    • Use new password
    • All encrypted data intact and accessible

What If You Don’t Have Your Recovery Key?

If you can’t find your recovery key, you have two options:

Option 1: Keep Searching

  • Check password manager
  • Check physical backup locations
  • Check old email/documents
  • Ask trusted family member if you shared it

Option 2: Proceed Without Recovery Key

⚠️ Warning: This will permanently delete all your encrypted data.

If you proceed without recovery key:

  1. Click “I don’t have my recovery key”
  2. Read and understand the warning
  3. Check box: “I understand my data will be deleted”
  4. Click “Reset Anyway”
  5. Create new password
  6. Account is reset with empty data
  7. Generate new recovery key
  8. Start fresh

Lost data includes:

  • All bank connections
  • Transaction history
  • Net worth tracking data
  • Custom categories and budgets
  • All user-created content

Not lost (stored separately):

  • Email address
  • Account creation date
  • Subscription status

Password Requirements

When creating a new password:

Minimum Requirements

  • 12 characters minimum length
  • At least one uppercase letter (A-Z)
  • At least one lowercase letter (a-z)
  • At least one number (0-9)
  • At least one special character (!@#$%^&*)

Recommendations

  • Use 16+ characters for stronger security
  • Consider a passphrase (e.g., “Coffee$Mountain!Blue2025”)
  • Use a password manager to generate and store it
  • Don’t reuse passwords from other services

What Not to Use

  • ❌ Previous PopaDex passwords
  • ❌ Common words or patterns (“Password123!”)
  • ❌ Personal information (name, birthday, etc.)
  • ❌ Keyboard patterns (“qwerty”, “123456”)

Security Measures

Rate Limiting

Password reset is rate-limited to prevent abuse:

  • Maximum 3 reset requests per hour per email
  • Maximum 10 reset requests per day per email
  • Temporary lockout (1 hour) if limits exceeded

Email Verification

Reset emails include:

  • Timestamp of request
  • IP address of request (for your security)
  • Browser/device info
  • Link to report unauthorized request

If you didn’t request the reset, click “Report” in the email.

Reset links are:

  • Single-use (invalid after one use)
  • 24-hour expiration
  • Cryptographically signed to prevent tampering
  • HTTPS only - never sent over unencrypted connections

Troubleshooting

Not Receiving Reset Email

Check these:

  1. Spam/junk folder
  2. Promotions tab (Gmail)
  3. Email address spelling
  4. Inbox full? (unlikely but possible)

Wait: Emails can take up to 5 minutes

Still nothing?

  • Wait 10 minutes, try requesting again
  • Check if email address is correct for your account
  • Contact [email protected]

Possible reasons:

  • Link expired (24 hours)
  • Link already used
  • Link format corrupted (copy-paste error)

Solution: Request a new reset link

Recovery Key Not Working

Common issues:

1. Typos

  • Recovery key is case-sensitive (all uppercase)
  • Hyphens must be included
  • No spaces between groups
  • Format: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

2. Old Recovery Key

  • If you regenerated it, old key is invalid
  • Use most recent recovery key

3. Wrong Account

  • Each account has unique recovery key
  • Ensure you’re using the right key for this email

Still not working? Unfortunately, if your recovery key doesn’t work, you’ll need to proceed without it and lose encrypted data.

Reset links are valid for 24 hours. If expired:

  1. Return to login page
  2. Click “Forgot Password?” again
  3. Request new reset link
  4. Complete reset within 24 hours

After Password Reset

Immediate Actions

  1. Save New Password
    • Store in password manager
    • Don’t rely on memory alone
  2. Verify Recovery Key (E2EE accounts)
    • Go to Settings → Security
    • Click “Test Recovery Key”
    • Confirm you still have it
  3. Update Saved Passwords
    • Browser password manager
    • Mobile app credentials
    • Any saved bookmarks

Security Recommendations

Change your password if:

  • You suspect account compromise
  • You used it on another breached service
  • It was weak or easily guessable
  • You shared it with someone
  • More than 90 days old (good practice)

After suspicious reset:

  1. Review account activity log
  2. Check connected bank accounts
  3. Verify no unauthorized changes
  4. Consider enabling 2FA (when available)

Preventing Future Lockouts

For Standard Accounts

Use a password manager

  • 1Password, Bitwarden, LastPass, Apple Keychain
  • Generates strong passwords
  • Saves them securely
  • Syncs across devices

Write it down securely

  • Store in safe or locked drawer
  • Only if you won’t lose it

For E2EE Accounts

Save recovery key immediately

  • Store in password manager
  • Physical backup in safe
  • Multiple secure locations

Test recovery key

  • Verify it works after saving
  • Test every 6 months

Include in estate planning

  • Trusted family member should have access
  • Consider digital estate planning services

FAQ

Q: How often can I reset my password?
A: As often as needed, but rate-limited to 3 times per hour and 10 times per day for security.

Q: Will resetting password sign me out of other devices?
A: Yes, all active sessions are terminated for security.

Q: Can I reset someone else’s password if I have their recovery key?
A: No. You also need access to their email to receive the reset link.

Q: What if I enabled E2EE but never saved my recovery key?
A: If you still remember your current password, generate and save a new recovery key immediately from Settings. If you’ve already forgotten your password, you’ll have to reset without the key and lose data.

Q: Is there a grace period before my data is deleted?
A: No. When you reset without a recovery key, data deletion is immediate and permanent.

Q: Can PopaDex recover my data if I lose my recovery key?
A: No. This is by design - true E2EE means even we cannot access your encrypted data.

Q: What’s the difference between “Forgot Password” and “Reset Password”?
A: They’re the same process, just different terminology.

Need assistance? Contact [email protected]

Was this article helpful?

Last updated: January 15, 2025

Questions? Contact Support