Password Reset

/forgot-password asks for the email address and the username of the account. Both must match — this prevents enumeration of accounts by email alone. On submit, a reset email is sent containing a single-use link.

The reset link opens /reset-password with a token in the URL. The page validates the token, then asks for a new password (subject to the same length and complexity rules as registration) and a confirmation. After submit, the token is invalidated and the new password is active immediately.

A password reset does not bypass two-factor authentication. If you have lost both your password and your authenticator, use one of the recovery codes you stored when 2FA was enabled. If those are also gone, you need to contact support — for security reasons there is no automated bypass.