No password means there’s no password to steal.
Loupely uses Magic Link Authentication for every sign-in. When you need to access your account, you enter your email address and a single-use link arrives in your inbox. Clicking it signs you in. Nothing is stored on Loupely’s side that an attacker could use to get into your account by compromising the database. Email addresses are stored, but they’re not credentials.
This matters for how Loupely is actually used. Most site owners sign in a handful of times a year: to check their credit balance, manage billing, or retrieve a License Key. Maintaining a unique strong password for something you access that infrequently is friction that pushes people toward reused or weak passwords. The magic link removes that trade-off by eliminating the password entirely.
How it works technically #
When you request a sign-in link, the system generates a cryptographic token, stores a hash of it, and emails you the URL containing the token. When you click the link, the system hashes the token from the URL and compares it to the stored hash. If they match, you’re signed in and the stored hash is deleted. The token never touches Loupely’s database in usable form.
If you receive a sign-in link you didn’t request, ignore it. Someone typed your email address by mistake. The link expires in 15 minutes and can’t be used more than once.