Using bcrypt to hash a password field?

We were looking to create a password field in Grist for our internal application. Obviously, we need to hash the passwords. I thought we could do something like this in a formula column, but it doesn’t do anything. Maybe I’m misunderstanding our formula columns work? Just a newbie here. Any help appreciated.

import bcrypt    
# example password 
password = 'password123'    

bytes = password.encode('utf-8')    
salt = bcrypt.gensalt()    
hash = bcrypt.hashpw(bytes, salt)
return hash

Hi @ddsgadget.

Your formula looks correct. The reason why it doesn’t work is that bcrypt is not installed in the Python sandbox that evaluates formulas.

Beyond that, there are some security concerns with hashing in a document this way. Even with a trigger formula that takes a plaintext password as input and stores the hashed output in a cell, the original input for the trigger formula is still saved in an internal Grist metadata table. While I don’t believe the Grist UI currently displays this information anywhere, like in Document History, the data will still be visible in responses to API calls made by the client.


Thanks, so I guess we can’t use grist yet for any sensitive info, like passwords?

For passwords specifically, Grist tracking document actions (including inputs to a trigger formula) does make hashing passwords inside Grist unsuitable from a security perspective, since the plaintext password used to compute the hash can be recovered from history.

Are you able to share more information about the password field and how it fits into the context of your application? Just trying to better understand your use case. Thanks.


We wanted to use Grist to managed logins to a simple app, which controls forms on the frontend using React. When a user submits these forms they would go into a Grist table. However, we want users to log in before submitting the form, so we figured we would store the user credentials in Grist also, and do the hash on the database side. I guess we will just hash the password via a separate backend api and then just to store the hash in grist.