So, your email address and your password in the Blockstack browser are kept only on a session basis. They are stored with the session object. When you reset your Blockstack browser the session object is deleted. Then, the next time you login, you provide it with a password/email for that session.
Unlike a cloud application username/password, you can provide a new email and a different password for each browser session. The unique and identifying value is your ID and the corresponding Secret Recovery Key or Magic Recovery Code.
We have documentation that might help. And also information about key security information associated with a DApp like the browser. I’ll expand that security and the documentation around the password and email.
Hope this helps. Let us know if it didn’t. Thank you for bringing the question up, I’ll expand the docs to make this clearer.