Allow simple password for folder sharing

A simple password is better than none.
I have a feature request:
When activating link sharing for a folder I would like to provide a simple password for basic access protection. Instead, I’m tutored by the software “this password is among the 1000 most common”.
Shouldn’t the user decide what is appropriate. A hint is ok but not the exclusion.

Here is the use case:
I want to share some pictures with friends from our last hike. It’s nothing highly confidential. I share the link and send it by mail and tell the friends “The password is the village we started in.”
I guess this is better than no password. But since this word is not allowed I set the folder rather to have no password. Bad ending!

Hi @Kugeleis

the password policy is implemented as app to give admins the opportunity to require passwords of a certain standard. If you don’t need this feature, simply disable the app “Password policy” and use password123 for your folders. :slight_smile: Please be aware that this will also allow your users to set password123 as their user password.

/S

@Kugeleis and @simonspa
A password for nextcloud shares is only a security feature if you transport the password over a second way e.g. SMS, WhatsApp or phone. If you share the nextcloud link together with the password then there is no security advantage. Nobody can guess the nextcloud url. The nextcloud url is similarly complicated like a password :wink:

I shared a secret file for you at https://nc.nl.tab.digital .
Here a part of the link https://nc.nl.tab.digital/s/
Hack it :wink:

That is of course correct - and holds for user passwords as well. :wink: But it wasn’t the question.

1 Like

You don’t necessarily need to disable the passwords_policy app. The admin can configure the password requirements in the admin settings (in the section security). But like @simonspa already pointed out, these requirements are applied to all passwords, so also the user passwords.

You can request new features in the github of the app: Issues · nextcloud/password_policy · GitHub

But it it not really better than none.

1 Like

Thanks for the discussion. i think it makes sense to distinguish the rules between a user password and one for sharing a folder. Weakening the rule for the user pwd would be a poor solution.
I think it makes sense to use a common secret - even if it is a word - for folder sharing. I will file a feature request for the password policy app.

Why? I send the public link via insecure email and the legitime receivers know we started from the Village “Bedford”? How fast would an evil intruder break this on a nextcloud instance?

I think what he wanted to say was: it’s not much better than none. :wink:

On the subject: it is often not random hackers on the internet that are the real threat, but people who work in the same office as the recipient and perhaps should not necessarily have access to certain files. Generic passwords that are easy to remember are also easy to guess.

Apart from that, these words are of course also in the password lists that the “real” hackers use.

@Kugeleis
Nobody knows public shares from an nextcloud instance.
The hacker get the public share only from the insecure e-mail.

If only you and the receiver knows an addition information like “Bedford” outside the insecure e-mail than an only than it is more secure.

If the simplicity of the password is the problem, and the ease of remembering, you might find this resource useful

1 Like