Vaults uses username and password only. No email at sign up. No email at sign in. No email for marketing. No email for password reset. The only optional security layer is 2FA, and that is per device, not email based.
Why no email?
Two reasons, both honest.
First, privacy. Email is the single most fingerprintable piece of personal data online. Once a service has your email, it can correlate you across breaches, sell it, get hacked and leak it, or quietly send you marketing forever. The cleanest way to never leak your email is to never ask for it.
Second, friction. Asking for an email during sign up cuts conversion by about a third in our testing. We want anyone, including a 15 year old who does not have their own email account, to be able to claim a vaults.lol page in 10 seconds.
How does account recovery work then?
Be careful with your password. Write it down somewhere safe, or use a password manager (Bitwarden and 1Password both have free tiers). If you turn on 2FA, save the backup codes we show you, screenshot them, store them offline. That is your recovery.
We cannot reset your password by email because we do not have one. That is the tradeoff for the privacy guarantee.
What if I lose my account?
If you have your 2FA backup codes, you can sign back in. If you lost both your password and your 2FA backup, the account is unrecoverable. This sounds harsh, but it is the only way to genuinely protect accounts from social engineering attacks (people pretending to be you to support and getting your account handed to them).
Is this safe?
Yes. Passwords are hashed (bcrypt) so even we cannot read them. 2FA uses standard TOTP (works with Google Authenticator, Authy, 1Password, Bitwarden). Sessions are stored in secure cookies. See is Vaults.lol safe for the full security writeup.