So you click the button, and it has your username and/or email already known, so it knows that email address is validly tied to that account.

So they send you off an email, knowing that only the right user will be able to receive it, and they give you a one-time password to use to get back into your account.

In the backend, when you type in that one-time code, it now knows you are the correct user, so it lets you reset your password, and the new password overwrites the old one.

Basically, they’ve just authenticated you via email, rather than by password directly.

As stated above/below – it uses the email address (or looks up an email address from a username) that you provide, and sends a link with a token in it.

Assuming you’re the only person with access to your email, you’re the only one who receive that link. And when you follow it, it’ll take you to a location where you can change your password and log in. These ‘change password’ links typically are one-use only and have a timeout, to avoid anyone stumbling on the link somehow and using it to gain access to your account.

So two things are obviously key:

– It’s important to give a valid email address to any accounts, if you want to be able to reset the password (you may have to provide one to create the account in the first place)

– Your email account is a great way of gaining access to other sites/accounts. Whatever else you do, make sure your email password is safe, and hard to guess (or use a password manager).

Thank you all who replied and took part in this discussion, love you guys.

Security can be granted through a few different avenues.

– Something only you know (password, ssn+dob, a series of extremely personal questions/answers)
– Something only you have access to (an email account)
– Something only you hold (cellphone, usb key)

We use passwords because opening an email, or responding to a text message every time you wanted to login is a huge pain. And that “remember me on this device” checkbox is actually a form of ‘something you hold’.

If you don’t know your password the service verifies “you are you” by sending the reset link to your email address.

Critical services like banking or healthcare often require even more validation, like inputting a code texted to your personal cellphone.
(Something only you have access to + something only you physically hold)

Once they’ve validated that you are who you are, the backend process is really simple. You submit your password, they shove it through an algorithm to generate a (almost) unique id, then that hash is saved over your old password.

Some places keep track of the last X hashes so they can say “you’ve already used this one”.

Some BAD companies store passwords exactly as you input them, which leave you exposed if they’re hacked & you reused the password.

The server doesn’t know your password, but can set (change) it. So they authenticate you some other way just one time (like sending an email or text) to give you access to the set function.

Some web services invalidate existing auth tokens as soon as a valid email address is used in the password recovery flow rather than when the email link is clicked. You can use this for a mildly inconvenient denial of service attack.

When you create an account you need to use an email, and as you may have noticed you’re asked to confirm the email either to complete the account creation or once the account has been created. Confirming usually means logging into that email and clicking on a link sent to you. What this does is confirm to the website that you do indeed have access to that email account. Email accounts tend to be important so we generally either don’t forget our credentials or use extra security measures like having our phone numbers attached to them. Random website accounts may be important or they may not be. We might very easily forget a password so email recovery is the general go to method.

When you recover a password, you’re once again sent a link to your attached email account. The logic is that any random can request a password change, but only the true account owner can see the email and click the link in it, which allows for the password to be changed. This is why it’s very important to have different passwords for each account and email. In the case where someone has the exact same passwords everywhere, this compromises these security features a lot since if they gain access to your email, they can pretty much gain access to all accounts attached to that email.