Different password policies for different groups?

I want to have different password policies for different kind of users, like

  • 10 char, whatever, if user has TOTP enabled
  • 25 char, obnoxious requirements, otherwise.

Is this a feature of any app I can install?

As far as I know, this is not possible, and I am not aware of any app that offers such a feature.

My recommendation would be to choose a good middle ground for the password lenght, e.g. 16 characters for all users, enforce strong passwords and limit the Number of login attempts. Example:

Or even better, just enforce 2FA for all users, and perhaps offer other 2FA methods such as WebAuthn as well, for users that prefer to use a security key instead of TOTP.

You can not compare passwords (strong or weak) with 2FA that makes no sense. Also strong passwords can be read by keylogger and then strong passwords help nothing. Use 2FA or don’t use it. But don’t try to fake security with passwords that doesn’t exist. You won’t achieve anything with a password length of 25 characters instead of 10, as this is completely irrelevant for all attack scenarios apart from decrypting password databases.

I know.

I have some users that I cannot enforce 2FA on (they’re shared accounts). For everybody else, I’d be happy enough with a bad password plus enforced OTP.

But without OTP, your password actually has to be good, and it won’t be if I don’t enforce it.

The problem is rather that the users share the account. You should solve this by creating your own accounts. Shared accounts do not meet any security or compliance requirements.

If the users only use a Nextcloud client, you could perhaps use app passwords. Then you neither have the password problem nor do the users need 2FA.

I know that too, but our workflow runs on this assumption. We’ll eventually move everybody on individual accounts.

Then you probably only have 25 characters for all users. In my case, I would probably generate an MD5 fingerprint based on an easy-to-remember character string that changes every month and then capitalize the first letter, for example, and add one special character at the end in accordance with the requirements for your password rules. Then the length is 33 characters and all is ok and i can easy recreate it. I hate password manager. How long is the password of your password manager? 25 characters or 10 characters? Without 2FA i think 25 characters is better. :wink: