A simple password is better than none.
I have a feature request:
When activating link sharing for a folder I would like to provide a simple password for basic access protection. Instead, I’m tutored by the software “this password is among the 1000 most common”.
Shouldn’t the user decide what is appropriate. A hint is ok but not the exclusion.
Here is the use case:
I want to share some pictures with friends from our last hike. It’s nothing highly confidential. I share the link and send it by mail and tell the friends “The password is the village we started in.”
I guess this is better than no password. But since this word is not allowed I set the folder rather to have no password. Bad ending!
the password policy is implemented as app to give admins the opportunity to require passwords of a certain standard. If you don’t need this feature, simply disable the app “Password policy” and use password123 for your folders. Please be aware that this will also allow your users to set password123 as their user password.
@Kugeleis and @simonspa
A password for nextcloud shares is only a security feature if you transport the password over a second way e.g. SMS, WhatsApp or phone. If you share the nextcloud link together with the password then there is no security advantage. Nobody can guess the nextcloud url. The nextcloud url is similarly complicated like a password
You don’t necessarily need to disable the passwords_policy app. The admin can configure the password requirements in the admin settings (in the section security). But like @simonspa already pointed out, these requirements are applied to all passwords, so also the user passwords.
Thanks for the discussion. i think it makes sense to distinguish the rules between a user password and one for sharing a folder. Weakening the rule for the user pwd would be a poor solution.
I think it makes sense to use a common secret - even if it is a word - for folder sharing. I will file a feature request for the password policy app.
Why? I send the public link via insecure email and the legitime receivers know we started from the Village “Bedford”? How fast would an evil intruder break this on a nextcloud instance?
I think what he wanted to say was: it’s not much better than none.
On the subject: it is often not random hackers on the internet that are the real threat, but people who work in the same office as the recipient and perhaps should not necessarily have access to certain files. Generic passwords that are easy to remember are also easy to guess.
Apart from that, these words are of course also in the password lists that the “real” hackers use.
If using a strong password for an account, using the same level of complexity for a share is really counter productive !
When I share a link to document protected by a password to somebody I’m in touch, I do not want to share a password ! My first intention is to share the doc so it would be desirable to share an indication of the password used !
Examples :
To a friend : “the password is the last place we met (all lowercase)”
To a customer service : “the password is the id of my account”
I thought password were mandatory only last millenium ;), now we probably move to more modern practices ?
This thread is almost two years old. Maybe it is useful to combine the new app Secrets with sharing (passwords).
Secrets:
Securely share data with anyone. All data is end-to-end encrypted by the user and will be deleted once retrieved successfully
Simply send the password (in the text field not password field) first with Secrets and if ok share the link with the same password.
Yes. This is much easier and i like it more. It should also be sufficient for safety. For security, if the data is a copy, you could give the recipient deletion rights to delete the data in a timely manner.
Please be aware that this will also allow your users to set 
?