Most actions with credentials are completely secured in Bubble - but this one can be an issue compromise depending on the context in which it is used. For example, some admin dashboards (that can be compromised with bad redirections) have buttons to define a temporary password for a specific user.

If you know that everything happening in the front-end can be seen by anyone, simply perform this action in the back-end side of your app. Let’s go step-by-step through this.

We’ll go to the back-end section of the app, and create a new API Workflow that we will call “assign-temporary-password”.
It will take a parameter:

Then, we’ll simply reproduce the exact same behavior than what our initial workflow was doing.

Now, let’s go back to our previous workflow - the one on the page the issue was found on. Let’s delete all the actions inside of it, and make it just trigger our freshly created API workflow and fill in the associated parameter.

And… there we go! ✅
The security issue is now fixed and we’re all set 🔐

🔗 Here is the link to the demo app if you’d like to know how to implement it.

As mentioned in Bubble’s official documentation, the most secure way to work with passwords is to use the “Reset Password” action.

Important: This workflow action is meant to be used in a situation where an admin is resetting the password for a user - the admin can see the new password.

We do not recommend building this into an end-user-facing flow on a page because it is not a secure way to work with passwords.

If you can implement this logic, that’s the best you can do. If you need to use the “Assign a temporary password” in your flow for your specific use-case, you now know how to do it in a secure way.