Master password retry policy

I installed latest “nightly” build and I was not able to login anymore. valid combination of master password and TOTP code was not accepted. After multiple attempts, my account got locked out with error message “too many attempts” with no obvious way out. I still had access to Passwords Admin page (/nextcloud/index.php/settings/admin/passwords), however there was no way to reset master password for a specific user or manage retry attempts.
This made me wonder, what is the build-in master password retry policy? Is there a way to manage this policy either in UI or command line? I checked the handbook but didn’t see it mentioned anywhere.

The app has a limit of 5 failed login attempts before the client is kicḱed. That is not configurable.

There is also a rate throttling of max. 6 attempts per minute to create an authorized session.

That’s good to know. Thank you.

What happens after 5th failed attempt? There is no password recovery process for user.
Is user locked forever or is ban expires after some period of time?
Is there a way for sys admin to reset retry counter or change user password?

The error “Too many attempts” appears if the incorrect password/token was entered too often.
Starting with the fifth failed login attempt, every failed login attempt will cause the api credentials of the client to be revoked. So if the client used an app password, that app password is revoked. Accessing the api with the Nextcloud username and password (so not an app password) is blocked until a successful login happens.
There will also be a notification about the issue.

The “Rate limit exceeded” error will be reset after a minute.

There is no way to change the master password. It’s used to encrypt the data and not stored on the server.

These two are clear.

This one is still confusing. So does this means after 5th unsuccessful attempt user is forever locked out? there is no lock time out?

When you set up a new client - the browser extension or any app - it usually generates an app password which you can see in your Nextcloud security settings. This app password is used to access to api. It is not the master password used to unlock the passwords. The web ui creates a temporary app password for every session.
Starting with the fifth failed attempt, every failed attempt will automatically cause the app password used to access the api to be revoked.
The web ui will notice this and reload the page to create a new app password. If you used the browser extension for that failed attempt, the app password for that server needs to be updated in the settings. If you used any android app for that failed attempt, you need to log into Nextcloud again.
Every time an app password is revoked, you get a notification about this. (If you didn’t disable security notifications in the passwords app settings)

Any client that attempts to access the passwords api with your regular Nextcloud user password (and not an app password that can be revoked) won’t be allowed any login attempt at all.

After the master password was entered successfully, any client using the regular Nextcloud user password will work normally again and the counter will be reset to 0.

I’m acutally surprised by this. There has been no change in the login process since early last year. Can you tell me from which version you upgraded, what version of NC you’re running, what kind of 2FA you’re running? And maybe are there any errors related to the app in the NC log?

Thank you. I think I understand now.
I got locked out from web app interface
so it sounds like if I just closed my browser and restarted with new session it would let me login again.

Regarding the version, unfortunately after this happened I panicked and Disabled->Removed->Reinstalled the App trying to reset it and after that did not work I Disabled and Removed it again and deleted my passwords user account using occ command

 sudo -u www-data php occ passwords:user:delete <username>

I didn’t have many passwords at that time since I’m still evaluating this solution as a potential replacement for LastPass. Then I re-installed app again to start from scratch.

The update I installed when I lost access was today March 11,2021. Before update I was only prompted with master password to access passwords app vault and after update I was prompted with password as well as TOTP code. I entered my “passwords” password (not my NC password) and NC TOTP code and they were not accepted.

NC version:

With the NC app, it should really work on its own. 5 failed attempts → error message → reload → one more attempt.

In case something bad happens, the app also has server side backups.

Thank you. I got it. Good to know for future.

As I mentioned in my case with latest “nightly” update I was presented with 3 fields on the login screen

  • Password
  • 2FA drop-down (TOTP Authenticator/Backup codes)
  • TOTP code

Thank you for a quick responses. I appreciate your help.