Nextcloud as central password store to sync beetween mobile and desktops

Could not find a better section beneeth these hundreds.
I am using Nextcloud quite some years and stay up to date with new versions.

I have an Android smartphone, a Mac, an Android tablet, a Macbook and a Linux notebook. As I trust no other cloud than my own I only trust the Nextcloud instance on my own Server located in a datacenter, so I have a relient internet access.
Everybody talks about 2 factor and passkey authentication, but in case of my many devices I am afraid about synchronisation.
OK if I have a synchronisation a device can go lost or defect without problem. But what is when i.e. my NextCloud instance fails, get lost, get defect I have to have a reliable backup.

The are some solutions for Nextcloud, but as more as I read i am confused which one to use. And as I see thats all 2 factor solutions, but I am afraid, that if the second factor is i.e. my smartphone what if i goes lost, or damaged, stolen?

Can somebody please help me.

Thank

Rainer

We need to define some stuff here.

Identifier/Login

A character strings that represents you. It’s probably not private, as it often uses your email or public username/handle. As far as security goes, it’s weak.

Password

A secret character string supposed to authentify someone. Problem is, it has to be stored on some server (preferably encrypted, but many sysadmins and devs are idiots and store it in plain text). Because it is stored on some server, it may leak into the wild (security breach or malevolent sysadmin). Also, because it’s only n characters (and people re-use passwords in many places), it can be guessed (either by bruteforce or by dictionnary). Also the password could be shared with a person you trust.

Authentication

The process by which a technical system asserts that the person trying to access data/account is the data/account’s owner. Authentication is typically done through login/password (with or without two-factor), but could also be done with RSA/ECC certificates or GPG keys.

Theat model

So anything accessible from the web can be hacked, in particular : passwords. Something that needs to be protected from hackers is your Nextcloud instance, because it probably contains sensitive info. Storing passwords in the very thing that should be protected is a very bad idea : in case it falls, the rest of your digital life falls with it.

The point of two-factors is to mix the (server-side) passwords with a (client-side) one-time password, and connect server with OTP through cryptographic ways. Meaning someone would have to physically steal your smartphone (or any second factor authentifier) AND your server-side password to actually break in your system. Suddenly, it’s a lot more complicated for a hacker.

Now, indeed, relying on a smartphone that can be stolen, lost or destroyed, for the second factor has its caveats. But I’m afraid, the solution is not to backup everything where it can be hacked.

I would advise you to use something like a security key (Yubikey is the most ubiquitous) to handle your second factor. You can have more than one Yubikey for offline backups. You can wear the Yubikey on your keychain or around your neck. The Yubikey will securily hold your second factor offline, has its own password, and can be used on Linux/Mac/Windows/Android/MacOS, through Yubico Authenticator app. This app is merely a GUI for the key, and will display the one-time password that the key computes through its internal cryptographic magic.

This solution allows you to have redundancy (several Yubikeys), that are all offline (can’t be breached from the web), and individually secured by an offline password (so even stealing the actual keys at your home don’t get hackers very far). After n wrong passwords inputs (n can be configured) they will also get blocked entirely (limited opportunities to try bruteforce).

But I strongly advise against using Nextcloud as a password vault, because it is on the web, and as such, it is exposed to threats, but also because it is already a central place where private data can be stolen. Even more if you are securing the Nextcloud server yourself, because properly securing a server is a difficult job, and if you trust your own server that much, you probably don’t understand security as much as you think.

Final words

Maybe one day you will end up in a coma, or at the hospital for a long time. It happens sooner that you think. Maybe this day, someone will need to take care of your taxes, health insurance, housing bills, kids and other sensitive stuff like that on your behalf, because you will be lying down in an hospital bed, unable to do it yourself.

Maybe this day, having turned your digital life into Fort Knox will be actively harmful to you. Always have a plan B for that case.

I agree complete, but where is the solution? Nearly everybody has more than one device. Many different passwords are not to remember. So you have four options

1. only a few passwords, so same password for different groups, by security level, very bad
2. same password with a variation schema for different site, easy to remember, quite secure as long as the hacker does not know the schema, but if every thing is open
3. A password list on paper oder file on anUSB stick. not very comfortable
4. a password manager, easy to use, can handle complex passwords

Still the problem of syncronisation and backup if the password manager crashes or the device is on.
So I need to store the password to a backuped central place, accessable from everywehre I have internet, a cloud. I do not trust Google or any other cloud service, at least Microsoft. So only may owncloud is a solution.
But still the problen if a device i.e.smartphone is stolen and hacked, all my site are accessable. But how to change tens of password in a short time in this case, without syncing this to the stolen device.
And there are a lot more of issues, like easy handling etc.

Thanks

The NC app OTP manager is a great solution in this case.

Everytime you come across an MFA registration (key or barcode), store it first in your OTP manager, then access the barcode in OTP manager to register a new account in your favourite MFA app. The best thing is that these OTP secrets are hosted on your NC, and there is also an andoid and an iOS app for them, so you can have redundancy. Add then the NC Passmann app, and store the break-the glass emergency codes you generates when you set up NC MFA, in that one. There is also both Android and iOS apps for that one. Use the NC passwords app for everyday and regular password manager use (there is also browser plugins).
“Why do you suggests BOTH Credential safes and not just one?”
Well, the Passmann encrypts the vault by a master password so when synchronizing the secrets to other devices, you still need to enter the master password in the local device app, in order to decrypt the vault, but the secrets are available offline. However the best experience and best supported Password manager in NC is the Passwords app, hence I prefers using that one in my normal day. Passmann is used for the stuff that needs protection most.
Alternative: Use the keepass NC app albeit it provides you only a secure password store that you do, at least, have offline available on all devices with a Nextcloud client.

You can store passwords in password managers, like Keepass or Bitwarden or any Nextcloud password manager plugin (both open-source, self-hostable, with clients for desktop, mobile and browser). Having tested a couple, Bitwarden seems the best for cross-OS and cross-browser support (Keepass is a struggle).

Then, your model is:

In this model, you need to remember only 2 master passwords:

• the one of your password manager (stored online),
• the one of your security key(s) (stored offline — don’t save it in your password manager).

The password manager protects you from global attacks (hackers randomly attacking web services by dictionnary or bruteforce), and allows you to use strong passwords without having the burden of recalling them. But it makes targeted attacks (targetting you specifically) much easier since you have centralized all your credentials in one place. That’s why you need another offline layer of protection.

In this model, the offline and online layers are fully separated, and the Yubikey password is the safest because it exists only on your hardware token. To login into any web service or into your password manager, a hacker needs to:

1. either:
   • know the {password + login} couple of your web service,
   • know the {password + login} couple of your password manager (from which all other {password + login} couples can be found),
2. have your Yubikey/hadware security token physically in hands,
3. know your Yubikey/hardware security token master password (only 3 attempts allowed).

Note that Yubikeys can handle the one-time passwords (like any authenticating app) but can also use other protocols that don’t require temporary passwords and may be more secured (in that case, you simply put the key into the USB port).

As I said, you can have several Yubikeys. This way, you avoid putting every security layer online and you still have portability between devices and redundancy if you loose one Yubikey. The one-time passwords are stored within the Yubikey, so they work through any device where you plug the key (through NFC or Lightning/USB port).

What @Kerasit suggests is a similarly-split model, but with everything online:

So a hacker would need to hack into both password managers. The problem is they are both online, aka publicly exposed. That’s why the smartphone-based OTP apps are great, because at least one of the factors is offline… but then, you loose your smartphone, you loose your accounts. I believe that Yubikeys and similar hardware tokens fix that issue. Also, some services will allow you more than one second factor (but still not all), so you could actually use one Yubikey as a redundancy of your smartphone, at the same time.

In any case, you need to split the static passwords from the one-time passwords, otherwise the second factor makes no sense since its purpose was to make it twice as hard to hack into your acounts. Using Nextcloud or any other password manager to centralize first and second factors defeats the purpose.

Which is why using Passmann to have a private key-phrase based encrypted vault for the revovery codes and master passwords, so a hacked NC still requires the hacker to break the encryption.

The recovery codes replace the second factor in case you lost it, so storing them along with passwords voids the second factor anyway.

Which is why I use two different password managers, both on NC: https://apps.nextcloud.com/apps/passman which creates the vaults using encryption regardless if you have any other encryption in place already (like keepass), and where you sync the vaults between your devices, using the dedicated app. This one is only comprimised if they brute forces your pass-phrase for the vault.
And thn I use https://apps.nextcloud.com/apps/passwords for anything none-critical.

If you are REALLY paranoid about your security, then Passman also supports storing OTP secrets.

And then I use OTP Manager - Apps - App Store - Nextcloud for storing the OTP secrets and to use as a backup OTP client if needed. I do prefer Authy, however it is EOL as an OTP client, I do not trust neither Google nor MS, so I need to find an alternative.

The only OTP secret I do NOT store in the OTP manager is the Nextcloud. That is not backed up anywhere. This is where the stored backup codes in Passman comes into play (I have the Passman app on my phone, and after unlocking it with the passphrase to decrypt the local vault, I have access to those backup codes). Compromising my NC will potentially provide a hacker access to the regular passwords stored in the Passwords app and the OTP codes in the OTP Manager. I got a vulnerability right there. However that is a choice of mine, as If I used Passman solely, the credentials aswell as the OTP codes, could be seperated or stored in same place.

If I was REALLY security rigid, I would use the Passman app for all the OTP codes in one vault and all the Credentials in another vault, and then I would have a KeePass safe stored under my files, synced through the NC clients and available with local apps on any kind of device. In that safe I would store the master passwords and account details to the most important stuff: My Credentials for NC, my admin credentials for NC, service accounts for NC and so on. But I value conveniency and so I rather use the Passwords app for much better functionality and richer features, despite it lacking encryption (the data is stored in the Database none-encrypted).

I use for most purposes KeepassXC, I can share the passwords over several clients. Desktop works quite good, on mobile it is a bit of a struggle.

On top of that, I can add some 2FA that is not part of the keyfile.

I like KeePassXC aswell. Easy solution also as it just syncs the vault using the device clients.

Couple of additional notes here:

Last week I lost my Nextcloud instance after an upgrade. I still don’t know what went wrong and one week later I only figured maybe 80 % of the issue. Am I glad that I didn’t lock my passwords on Nextcloud ? You bet I am. To each service its own container. Playing matroshkas with your services may give you a sense of security (need to break the top-most container before getting to the inner-most one), but it’s just adding problems on top of another. Servers break on their own on a regular basis: it’s called updates. Don’t do updates, you are facing possible security threats, do them and you are facing unexpected maintenance. Hopefully, with compartimented servers/services, they will not all break at the same time, and you can backup/restore them individually when they do.

Keepass has no project owner, there is an open protocol and then it’s many different implementations for different OS by different individuals. Android support is quite bad, you have different clients, none of them feature-complete. Linux support is ok though it doesn’t talk to the web browser. I tried using the Keepass ecosystem for a couple months: I kept getting DB synchronization issues (keep backing up your “vault”) until I couldn’t recover the vault. That’s when I called it quits.

The reason is the Keepass architecture uses no server (that could resolve concurrent accesses and deal with atomic password updates through a database server), so each client does its own thing on a vault, which is basically fully overwriting an opaque big file stored somewhere accessible from network (for all your clients). In other words, Keepass protocol is not designed for multiple and concurrent devices uses over the network. Such use is a hack that may work until it doesn’t.

If you are dead-set on hosting your password manager, Bitwarden has a server that you can host yourself and install with Docker.

First:
No arguments against the main points. I wholeheartedly agrees.

Second:
The pros and cons in regard to password vaults:

Pros

• Most of them is “secure” by design.
• One place to keep your credentials.
• Often much easier to do safer passwords and phrases, as you can auto generate and do not need to remember them.

Some PW Managers has added extras such as transportable (USB), Replicated/synced (either the service itself is a central service and you connectes with clients, or simply sync the local database file using the local file sync features of you environment), backup and restores and more.

Cons

• One place to keep your creds and secrets, is also one point of failure and you have no disaster recovery of a single database (broken, corrupted, forgetting master password etc).
• Transportable requires a medium. Whoever allows “foreign” USB thumbdrives to be inserted in their equipment, has not followed security hardening trends for the last 15 years. Using a thumbdrive for your mobile device, is…not a user friendly experience.
• Replicated safes needs etiher a master (central) or risk corruption/not in sync anymore.

There are other Pros and cons ofc. But these where top of my head.
Point is that unless you are a corporate organization and have redundancy with physical safes where you can store envelopes, aswell as having a proper PAM with password safes that supports builtin multi tenant setup/clustering and proper backup methods to offsite locations (locally encrypted before placed offsite), you has to balance security versus actual usability.

EDIT: One thing is the fort knox and extreme security/resilience. The other is the term “good enough”. No one but you knows what you consider “good enough”.

a bit of topic
I had my first server in 1985 a NetWare 86 on a XT Clown, a little bit later NetWare 2.0a on an 286 Clown. In the meantime I had a lot of servers of different kind of OS NetWare up to version 6.5, Windows 2000, SUSE Linux different versions, Debian from 7 to 12, in the last years onl y Debian and SUSE and now PROXMOX instead of ESXi.
As I keep my servers and applications current, I did my be hundreds if not thousends of updates and upgrades, in my company and at customer site. And as I remember I had only quite a few times problems or real problems. But still now I never do an update or upgrade without at least a snapshot or reliable backup.