Howdy?
We are migrating to our custom platform, and we’re in the process of migrating our data. Ideally, I’d like users not to be affected by the process. I understand we can export DBs in CSVs and use this as the basis for migration, but this won’t include passwords.
This is a long run, but does Bubble offer exposing the password hashes and logic?
Ideally, I’d replicate the same methodology in my custom app so that users can log in with the old credentials.
Thanks
It is a pain and you won’t get the password data. Best way to do it, is to make a temporary magic login link system with the new app and once that has been done, let the user update / reconfirm a password so that your new system has magic login / email/pass login options going forward.
Migrating data out of Bubble is such a pain from someone who had to migrate over 3 million records, the lock in that Bubble has on your data is super frustrating.
Thanks for your reply, and it makes perfect sense!
Already was assuming Bubble will not expose such data but just asked to confirm before committing. Doesn’t hurt the users to just reset their passwords 
Thanks again!
You can’t export passwords.
I used to work with people who were paid way too much to sit around importing and exporting spreadsheets into SQL server 
Exporting data from any system is a pain!
I know for a fact you can’t export passwords however I do know you can authenticate a user via an API call to the server, maybe there’s some kind of flow where you could authenticate the user’s credential via a call to bubble, then if it’s valid, prompt them to set a new password or reconfirm it. I’m sure there’s security implications with this but I’m just shooting from the hip here.
Hackers have been able to steal customer data including passwors from UK Retailer co-op. maybe Co-Op should switch to bubble
It’s only hackers that seem to be able to export data effectively 
. I guess they don’t have any committee meetings to slow them down…
But yeah, hiding passwords it is actually a very nice security feature of Bubble
Hiding the passwords isn’t really the security part here at all. The reason is hashing. No company in its right mind in 2025 will store users’ passwords in plain text.
Even if you can leak a database of 1 million users, the passwords will be hashes and you can’t make use of it, UNLESS:
2 is not terribly impossible. You can try a dictionary attack on 1 million, and you’d hit maybe 20k at least, which is a lottery for a hacker. I’m oversimplifying this,s but it takes a tremendous amount of processing power that’s only feasible for organised large hacker groups. (BTW, I’m seeing bubble apps accepting passwords like “abcd” so brute-forcing them will be.. fun). Getting to 1 is the key here. It’s impossible to crack a password without knowing the algorithm and salting methodology used. Back in the day, all sites used plain MD5, which still was hard to crack but not impossible; now we’re using better algorithms.
This is why you can theoretically migrate passwords from coded platforms to another. Coded platforms are open-source (duh), and you know the steps used to produce this password, as a result, you’d just take the old code into your new app, and your users would sense a bit of difference. Though this option is boring, long and complicated and just easier to let the users reset the password. You, in the middle, still don’t know what the passwords are because they are hashed.
TL;DR: It doesn’t matter if the passwords are exposed or not unless you know the salting methods and have the processing power to brute-force part of them.
