Login encryption

Hi the community,

Are the login password encrypted by default when we are using the login template page?
thx

Arnaud

Hi,

All user passwords are stored salted + encrypted in Bubble’s database; other user data is encrypted at rest.

Also, ensure you become familiar with privacy rules, as these run server side to protect data.

Hello,
could you explain more to me what your asking?

Thanks,
Nathan

That’s more or less the complexity for a “hacker” to get my app’s user password. that was a question from one of my client

Well I can insure you that all your apps data is safe. In order to access that kind of data you will need to be an SHR (Super High Rank) Basically one of the heads. To sum it up only you can see that kind of info.

Have A Good Day,
Nathan

@anon26152888 Not entirely true. While passwords are encrypted by default, user data is not. Utilizing privacy rules help prevent unauthorized eyes on your data. Bubble just pushed out a new video, I suggest checking it out to understand how user data is defined. By default, your database, with the exclusion of passwords, are technically public to technical prying eyes.

3 Likes

Alright ill take a look I might need this for my website.

And do you know the level of encryption?

1 Like

Probably high.

Other than SSL at rest, Bubble runs Amazon RDS. Which, uses AES-256 encryption. I don’t recall the post or url to Bubble’s official statement. Might be worth reaching out to them for an official answer if you need something more detailed. :slightly_smiling_face:

Here’s a recent support article too, Support Article | Bubble.

Bubble Support: support@bubble.io

1 Like

Regarding password encryption, this is from an official Bubble forum post (it’s 2 years old so I can’t say for sure if it still applies, or if anything’s changed - but but I’d imagine it’s still valid info):

How are passwords stored in Bubble?
We use one-way hashing and salting to store passwords. One-way hashing is an irreversible transformation: you cannot go from the hashed password back to the original password, so in a worst-case scenario if the Bubble database is compromised, the attacker won’t be able to see what the original passwords were. (The way we check a password is we hash the password that the user enters, and see if it matches the hash we have in the database. Since the only thing we care about is that the two passwords are the same, it’s not important to be able to retrieve the original password: that’s why one-way hashing is considered a best practice for password storage).

Here’s the link to the original post with more details on Bubble’s security:

Josh: Request for a Security Q&A Guide - Need help / App Organization - Bubble Forum