Confused about the app password security

Hi. The app password is specific to each user. So I’m confused about the security.

  1. What would happen if the hacker got my app password and used it to log in to that app on another device? As far as I know, it’s possible. So how do we prevent this?
  2. My point is to use an app password in a login session. Once the user logs out, that app password will be deleted. I generated an app password by using login flow v2, so can I delete it using this link: Login Flow — Nextcloud latest Developer Manual latest documentation?

This is the subforum for the Passwords app for Nextcloud. I don’t think you’re right here. Development questions are better asked here: https://help.nextcloud.com/c/dev/11

You delete the app password in “Devices & sessions”. That’s how you prevent an attacker from continuing to use the app password. App passwords can’t and won’t stop an attacker from accessing Nextcloud from another device.
The security benefit of an app password is that you can revoke it and you can limit the access this device has on Nextcloud.

Yes. This call should delete the app password.

Thank you. I changed to Development tag.

Do you mean device password? But with this, there’s no need for a standard password or an app password. I also want multiple users to be able to use a device. The limit on access to the device would start after the user logged in successfully and the server generated a new app password.

Passwords generated do give access to the entire Nextcloud afaik. Perhaps an aside, but mentioning: Allow to restrict app password data access · Issue #2866 · nextcloud/server · GitHub

Yes, I knew about that problem. But using an app password is better than storing the user’s password on my app. Once a user logs in successfully, an app password is generated, and it will be revoked if the user logs out. The problem is now how I can prevent attacks from other devices if they know the app password.
I want to have something like this:

1 Like

hmm, trying linking this over to ask the community dev chat at Nextcloud
Happy 2024.

1 Like

Thank you. I dont even know that we have a chat. ;-; Happy 2024. :blush: