Skip to main content
What Changing Your Password Actually Does — and Why It's Safe to Interrupt

What Changing Your Password Actually Does — and Why It's Safe to Interrupt

June 9, 20267 min readby Ken LaCroix

In MoodHaven your password isn't stored anywhere — it's the key that unlocks everything. So "change password" doesn't update a saved secret; it re-encrypts your entire journal under a new key. Here's what that means in plain terms, and why it's safe to close the app, lose power, or crash in the middle of it.

The short version

When you change your MoodHaven password, the app quietly re-encrypts every entry, every attachment, and every other protected setting under your new password. That takes real work — but it's built so that an interruption can never leave you locked out. At any instant during the change, exactly one password opens your journal: either your old one (if the change hadn't finished) or your new one (if it had). There is no in-between state, and there's no way to lose data by interrupting it.

If you want the one-sentence version: changing your password re-encrypts everything, and if it's interrupted it rolls back cleanly to your old password — every time.

Your password is the key, not a stored secret

Most apps store your password (or a scrambled version of it) on a server and check what you type against it. MoodHaven doesn't work that way, on purpose. There's no server, and your password is never written down anywhere — not on your disk, not in the cloud, not even in a hidden file.

Instead, your password is fed through a deliberately slow math function to derive the key that encrypts your journal. The key lives only in memory while the app is unlocked, and it's gone the moment you lock or quit. That's what "we can't read your journal" actually means: there's nothing to read, because the only thing that can unlock your entries is a key that exists for a few minutes at a time, derived from a password only you know.

This is great for privacy. It also means there's no stored password to "update" when you want to change it. The password is the key — so changing it means re-deriving the key and re-encrypting everything the old key protected.

Two locks, not one

Your data is actually protected by two layers, both tied to your password:

  • The whole database file is encrypted as a single locked container. Steal the file off your disk and it's unreadable scramble.
  • Each entry, and a few sensitive settings, are also individually encrypted inside that container — a lock within the lock.

Both locks are keyed off your password. So a password change has to re-key both: re-encrypt every individual entry, then re-lock the whole container under the new key. Your attachments (photos and files) get the same treatment — each one decrypted with the old key and re-encrypted with the new.

For a small journal this is quick. For a large one with years of entries and lots of attachments, it can take a little while — which is exactly why the next part matters.

Why it's safe to interrupt

Here's the thing we spent the most care on. Re-encrypting an entire journal is a lot of steps, and computers lose power, get force-quit, and crash. A naïve version of this feature could leave your data half-converted — some of it under the old password, some under the new — and no single password would open all of it. That's the nightmare scenario, and it's the whole reason this feature took real engineering rather than an afternoon.

MoodHaven avoids it with a simple, strict rule: do all the heavy lifting first, off to the side, then switch everything over in a single instant. The app prepares a fully re-encrypted copy of your journal alongside the original, without touching the live one. Only when that copy is completely ready does it flip a single switch that makes the new version live. Everything before the flip is reversible; everything after it is just cleanup.

So if the app is interrupted:

  • Before the flip — your live journal was never modified. You open it with your old password, exactly as before. The half-built copy is discarded automatically on the next launch.
  • After the flip — the new version is already live. You open it with your new password, and the app finishes the leftover cleanup on its own.

There is no third outcome. We don't just believe that — we prove it. Internally, the app has a test that deliberately kills the process at every single step of a password change, then relaunches and checks that the journal still opens with exactly one password and that no data was lost. It passes at every step, on every operating system we ship. (There's an engineer's-eye writeup of how that's tested, linked at the end.)

What you'll re-set up afterward

A few conveniences are tied to your old password and can't simply carry over, so the app handles them cleanly:

  • PIN unlock and biometric (Face/Touch/Windows Hello) unlock are switched off by the change. Re-enable them in Settings → Privacy and they'll be re-linked to your new password in seconds.
  • Your recovery key can now be kept. If you have one, the change-password screen lets you type it in so it keeps working with your new password. Leave that field blank and the old recovery key is retired safely — you can generate a fresh one afterward. (Either way, an out-of-date recovery key never silently keeps working, which is the behavior you'd want.)

The app shows you a short checklist of exactly what to re-enable when it's done, so nothing is left to guess.

The honest caveats

  • Keep the app open until it finishes. It's safe to interrupt — that's the entire point of the design — but a large journal takes real time to re-encrypt, and there's no reason to invite a restart you don't need.
  • Old backups keep their old password. Any .moodhaven export you made before the change is a self-contained snapshot, sealed with whatever password you used at the time. Changing your current password doesn't (and can't) reach back and re-key files you already exported.
  • This is for changing a password you know — not recovering a forgotten one. If you've forgotten your password, that's what your recovery key and "Erase & Start Fresh" are for. Changing your password requires entering the current one first.

Why we built it this way

We could have made password changes instant by storing your data under a separate internal key that your password merely "wraps" — and that's a refactor we may do later. But it would have meant changing the core of how MoodHaven encrypts everything, and we didn't want to ship that lightly. So we built the honest version first: it does the full, visible work of re-encrypting your journal, and it does it in a way that can be interrupted at any moment without ever risking your data.

That's the standard we hold the whole app to. Your journal is the one thing it exists to protect, and "trust us" isn't good enough — not for reading your entries, and not for the moment you decide to change the key that guards them.

Want the engineering account — the two encryption layers, the single-instant switchover, and the kill-it-at-every-step crash tests? There's a companion technical writeup that goes under the hood.

Try MoodHaven Journal

Free, open-source, and private. Your journal stays on your device — always encrypted, never shared.