How Splync v1.1 Handles Password Resets

Alongside email verification, Splync v1.1 introduced password reset — a simple but essential feature that strengthens account security. It may seem straightforward, but it solves one of the most common and critical problems in any app: helping users safely regain access to their accounts. Let’s take a closer look at why password resets matter and how Splync implements them securely.

Let’s start with the obvious question — what happens if you forget your password in Splync? Without a proper reset system, you’d lose access to all your shared budgets, expenses, and project data. Imagine being unable to check how much you spent on your wedding project or who paid for last month’s trip — everything you’ve tracked and balanced with friends would be out of reach. But beyond numbers, those expense records also tell stories — where you ate together, what you bought for each other, and how you shared moments that became part of your memories. Losing access to that history means losing a quiet archive of your shared life. Without password resets, some users might give up on Splync altogether, while others might create a new account and lose all their past records. Either way, it’s a a painful loss for both users and developers.

Password resets aren’t just about convenience — they’re about trust and security. Without them, there’s no reliable way to prove ownership when access is lost. They also act as an emergency safeguard if passwords are leaked or reused elsewhere. From a developer’s perspective, an automated reset system reduces support workload while keeping users active and confident. It also lays the foundation for future features like multi-factor authentication and account recovery.

Like email verification, Splync handles password resets entirely on the server side for maximum security. When a user requests a reset, the app sends their email to the FastAPI backend. The server checks if it exists in the database, then generates a secure, one-time token with a short expiration time. Using SMTP, the server sends an email containing a reset link. When the user clicks it, the app verifies the token’s validity and expiration. If it passes, the user can safely set a new password. The new password is hashed with bcrypt before being stored in MariaDB, and the token becomes invalid immediately — preventing reuse. To keep things clean, Splync’s server also automatically removes expired reset tokens — ensuring no leftover data lingers beyond its lifetime. This ensures that only the rightful account owner with access to the registered email can complete the process. Even if a stranger attempts a reset, they’ll never gain access without that unique token.

A token is a temporary, randomly generated key that verifies identity without exposing sensitive data. In Splync, each token is a one-time “digital ticket” that works only once and expires in short time. When you click the reset link, the server checks that this ticket matches your account and hasn’t expired or been used before. It’s a simple idea, but one of the most important layers of modern web security.

A secure system is only as strong as the passwords that protect it. Avoid anything predictable — no birthdays, pet names, or “12345.” Use a mix of random words, numbers, and symbols, or let a password manager generate one for you. Some services still require users to change passwords every few months, but modern research — including NIST (National Institute of Standards and Technology) guidelines — shows this can actually reduce security. Frequent changes lead people to use weak patterns or write passwords down. Splync takes a different approach. We encourage users to choose strong, unique passwords and reset them only when needed. And if remembering them feels tedious, you can skip them entirely: Splync supports Apple’s Passkeys, letting you sign in instantly with Face ID or Touch ID. Passkeys use cryptographic keys stored securely on your device — they can’t be guessed, stolen, or reused. It’s fast, safe, and modern — just like Splync’s approach to security.