Server: Option for more secure app passwords
The current app passwords (or "device/app pins") are quite short and only consist of capital letters (the hyphens can be added by any attacker as they are at specific positions), which violates all password best practises and policies (even the one you can set in NextCloud's password policy app). The login password is likely longer and if generated with a password manager also more secure (with a higher entropy).
So could you at least offer an option for more secure passwords (just the way password generators generate them, with all kinds of ASCII characters in it)? Either for the user or at least for the server admin?
rugk
All 6 comments
cc @nickvergessen @rullzer
MorrisJobke
on 17 Mar 2017
cc @ChristophWurst
MorrisJobke
on 17 Mar 2017
Yeah I'd like this!
rullzer
on 17 Mar 2017
I'd like to avoid this until we have a decent oauth endpoint, so the user doesn't have to type this anymore.
nickvergessen
on 20 Mar 2017
Wouldn't it be possible at least for the time being to use upper case, lower case characters and digits, and e.g. 5 blocks?
Should be fairly easy to change that here https://github.com/nextcloud/server/blob/master/settings/Controller/AuthSettingsController.php#L166
to e.g.
for ($i = 0; $i < 5; $i++) {
$groups[] = $this->random->generate(5, ISecureRandom::CHAR_LOWER . ISecureRandom::CHAR_UPPER . ISecureRandom::CHAR_DIGITS);
}
That wouldn't make the device passwords that much harder to type in but would at least increase the entropy of the tokens.
stffabi
on 4 May 2017
@nickvergessen would you be interested in a PR for this? One could also add a config option for either old tokens or new token generation.
stffabi
on 4 May 2017
Related issues
brylie
路
3Comments
jancborchardt
路
3Comments
mfechner
路
3Comments
e-alfred
路
3Comments
blackcrack
路
3Comments
Most helpful comment
@nickvergessen would you be interested in a PR for this? One could also add a config option for either old tokens or new token generation.