The password is reset by 1) the client decrypting the ncryptsec, which was delivered by the server after email recovery to confirm their identity, with the previously stored salted hashed password. 2) encrypting the nsec with a salted hash of the new password and sending the ncryptsec and along with the hash of the salted hashed password back to the server. 3) storing the salted based password in localstorage.