App password not working

I am using nextcloud 18.0.6.

The app passwords in the Devices and sessions panel are not working.

I created a new app password, the android nextcloud app responds with incorrect credentials.
Same by using a browser and the app login.


You can reset all passwords.

The regular password is working.
The problem is affects only generated app passwords.

Can you explain it?

I can try, i thought “app password” should be clear.

After login, every user can create separate passwords in the security -> Devices & sessions .

“Create new app password” created a alternate password for a specific device. Somehow these generated passwords are not working. Nextcloud client in android (or webbrowser) responds with unknown username or password.

are you sure you’re not also using the wrong UID or something when you try to access the account?

also you should have to generate an app pwd for the Nextcloud Android files app. Just go through the web login flow and the rest will be taken care of by the Android code.

yes, i am sure.

I am not sure what your mean, the android app would create an app password for itself?
But I need a separate app password for example on DAVdroid.

For DavX⁵, yes, but for for the Nextcloud app.

If that doesn’t work you should report this as a bug, but before that check for any existing tickets.


I can find this in the log messages:

Info core Bruteforce attempt from “****” detected for action “login”.
Warning no app in context Login failed: **** (Remote IP: ****)

Ah, then your instance just blocks the access. That is not a bug. If you have a reverse proxy you might want to check that, otherwise you could clear the brute force attempts table or wait until this has cleared.

1 Like

Logins are not working since yesterday. Is it cleared daily?
Maybe since the recent nc upgrade from 18.0.x to 18.0.6.

It seems strange why only the app logins and new app logins are would be locked.

There is no reverse proxy or bruteforce attack from my own IP. :laughing:

At the first login attempt with an IP address with the correct app login credentials, a new bruteforce attempt entry is created in the database (if not listed before).

Checked with:

SELECT * FROM oc_bruteforce_attempts;

So, it is a bug?

If the password is not rejected but yet a bruteforce attempt is logged for this request, yep, that is a bug :+1:

I posted a bug report, but the current situation is very inappropriate.

Is here someone with a nextcloud 18.0.6 stable version and can test app passwords?

If it is not a general problem by this version and it is caused by the upgrade from the 18.0.3, maybe I can reset (only) the app password database (or something else?) to fix it ? is the ticket for those who want to dig deeper.

1 Like

I tested on a hoster, with the same NC version, this error message was the same. Separated app logins are not working. :roll_eyes: