Nextcloud will check passwords against database of HaveIBeenPwned

Originally published at: Nextcloud will check passwords against database of HaveIBeenPwned - Nextcloud

Users tend to use the same passwords in multiple locations, which poses a significant risk in case passwords are stolen. Last Thursday, Security researcher Troy Hunt, known from his site HaveIBeenPwned, expanded his existing dataset of 306 million leaked passwords with another 200 million, bringing the total to half a billion. Organizations can use this list to check passwords against, ensuring their users don’t pick a password that is known and thus likely to be tried by hackers when trying to break into a system.

Pwned Passwords

His collection of passwords, named Pwned Passwords, uses SHA1 hashes of the passwords to allow checks against it. It also offers a counter to show how often a password is used in the database, with abc123 having a count of 2.5 million according to a blog by Hunt.

In this blog, Hunt also explains he gathered the 8,8GB worth of passwords from a series of public leaks and he warns strongly against using passwords part of his collection. He made them available to be collectively downloaded via a torrent and on his website he offers an API which can be used to check passwords against. It is a common practice of both attackers and defenders in computing security to built lists of commonly passwords which are in turn used in so called Rainbow Tables which are used to recover username/password combinations from encrypted, stolen databases. Or, like in this case, to ensure users don’t use previously breached passwords.
[caption id=“attachment_4789” align=“alignnone” width=“1024”] online check against haveIBeenPwned database[/caption]

Password security in Nextcloud

Currently, Nextcloud allows administrators to enforce a NIST compliant password quality, which includes a check for commonly used passwords like ‘test’ and 'abcabc. The limitations are checked when a user chooses a new password, or when the admin creates a new user with password. The new test against the HaveIBeenPwned database queries its database through their public API, giving a warning if the password has been breached.

As shipping a 8.8 gb password database alongside Nextcloud would probably make the download a little to big for most users. By sending a partial hash (the first five characters), we avoid any increased risk of leaking the password as, even if intercepted, those first 5 characters of a long hash aren’t very to helpful crack the full password. Besides, the attacker wouldn’t know the user name. The administrator can enable or disable this feature - we still have to determine if we’ll enable it by default but likely not.
[caption id=“attachment_4788” align=“alignnone” width=“703”] The new Password Policy settings in Nextcloud 13.0.1[/caption]
This improvement helps make passwords more secure, avoiding the use of known breached passwords and adding to our brute-force protection, two-factor authentication and existing password quality checks to ensure strong account protection.

The new check will be part of Nextcloud 14 and might also be backported to Nextcloud 13 in one of the upcoming patch releases. While this technically qualifies as a new feature (and backporting features always comes at a risk), password security is very central to keeping data under control and thus worthy of some extra testing effort. We still recommend to use the built in two-factor authentication to provide additional protection against stolen passwords!

Update: the code has been reviewed and merged and will be backported to 13.0.1. It will be disabled by default.

Please do not turn that on by default. Just my 2¢. Not everyone will be comfortable using that service, and having it on by default means that the initial login would use the service. I suppose if there were a popup on initial login asking about that, but you already ask about sending metrics, so it’s probably not a good design idea to have that pop up then.

@dsb
ummm… you already saw that it’s admin’s choice turning it on or not?

I like this feature, but also think it should be opt-in. And maybe someone could clarify the following points?

1. When exactly is the check done? When the passwords are set or on every log-in?
2. What happens when the API is unreachable? Will Nextcloud fall back to allowing all passwords or stop working?
3. Worst-case scenario: If Troy turns evil and makes the API always return a match, would this effectively forbid all passwords? Or is this impossible because to match all hashes, the reply would have to be much larger?
4. In the blog post “hash of the first 5 characters” sounds like you are truncating the password and then hashing, but as far as I understand, you first hash and then send the first five characters of the hash to the API
5. The sentence “In this blog, Hunt also explains …” misses some word, or where can I download Troy himself?

You can download Troy here.

In all seriousness, I updated the article to answer your questions, thanks for asking.

1. when you choose a password, our current password check enforces the rules the admin has set. So that will be the same with this new, optional, additional check.
2. When it can’t check - good question. I suppose it’ll give some kind of error, but if that means approval or denying - I would expect the latter would be the best choice. As user, you’d then have to contact support/the admin to get the problem fixed. Better than allowing a bad password to be chosen! @rullzer will know.
3. Yes, I suppose it would. So as admin you’d get contacted as nobody can create new passwords and you’d have to disable this check.
4. Fixed, you’re right.
5. fixed

To complete the reply from @jospoortvliet

1. Yes when you set the password.
2. Currently it fails and the tests passes. I did this because you still want to be able to test passwords when the API is not reachable. But please open an issue at https://github.com/nextcloud/password_policy to discuss this.
3. He could. But I guess word of that would spread quickly. Also since we send only the first 5 characters of the hash of the password he would have to return every hex combination of the remaining 35 characters. So 16^35 lines. That would timeout. And also make his traffic bill huge I’d think
4. Yes, first we hash the password. Then we take the first 5 characters of the hash. We then ask from the API all the hash that start with those 5 chars and check for a match with the remaining 35 characters.

I hope this explains it all.

You won’t send anything during the intial logon. Password policy is checked when setting a password. Not when using it.

A post was split to a new topic: Untranslated parts in apps

It seems the feared check during logon is happening already.
On an internal test Nextcloud I upgraded to version 14. When activating the apps that were deactivated during upgrade I had problems, after logout I can no longer logon. The error message is:

Password is among the 1,000,000 most common ones. Please make it unique.

But there is no option to actually change the password. And the pity is that it’s happening on the administrator account…

@hiran
looking for this?

https://docs.nextcloud.com/server/14/admin_manual/configuration_user/reset_admin_password.html

if you are running nextcloud in a docker container i think you have to ssh into the container.

That did the trick, thanks a lot!

To be precise I had to run this command:

docker exec --interactive --tty --user 33 nextcloud /var/www/html/occ user:resetpassword

With that I was able to set and confirm a better password that allowed me to logon again.

When checking the security settings, only the checkboxes for “Häufig verwendete Passwörter verbieten” (reject common passwords) and “Groß- und Kleinbuchstaben erzwingen” (force capital and noncapital letters) were checked.

Plus even then, this check should occur during setting a password, not during logon. So that should be a bug.

And the system did not offer a “Forgot password” link. That is probably another bug?

Hiran

this ranks up there right with using Apple keychain to store nextcloud credentials for sync clients…

STOP using keychain to store nextcloud instance credentials on macOS client

Please don’t spam posts with links to other unrelated posts. If you don’t trust the manufacturer of your closed-source OS, you should not be using it.

If you read the information text that is literally right below the HIPB checkbox, you will learn that NC is not sending passwords to the service, rather it receives a list of hashes of breached passwords from the service and then compares these to the passwords from users.

This is a recommended practice and some Nextcloud users may be required to perform these kinds of checks.

Not only is my post not spam, it is very related to the press release announcement. And again directly relates to the data privacy policy discussion for Nextcloud.

Have a nice day,
Jason

A discussion requires arguments. You posted

five years later on an announcement of a, once again, generally recommended password policy which you can disable. I can not see any argument in that statement of yours.

If you want a discussion, then make a new topic with your arguments & criticism so it can actually be discussed.

“this is WRONG dont do it. nuff said” is not a discussion.

I am a little uncomfortable being told what my behavior is directly against the terms of the Nexcloud community when that is not true. This is a very confrontational and disruptive manner and I have no further comment. Kind Regards, Jason

@Oclair

we appreciate your comment(s) here on some possible security flaws coming in through the choice of your OS. Thanks for that.

On another point I need to agree to @mdw (and to a whole lot of more ppl in your linked thread)… it is no discussion to just say: don’t use it, your data can be at risk.
this is just a personal opinion since there has been lots of comments that it’s not mandatory to use certain features of the OS in question.

Further on it’s up to the individual (admin) to use certain NC-features or -tools. So it’s a clear “no” to something claiming “Nextcloud gives out your data, be careful” - not. true.

and since these are the both options of a possible discussion it would be up to you now to get into discussion by adding arguments for your pov.

As it is now it’s like this
Person 1: you are too late to our appointment
Person 2: no I am not.
Person 1: you are too late, though.
Person 2: no I am not because look at my watch etc
Person 1: you are still too late.
Person 2: (gives more arguments)
etc

this is no discussion. at least not from Person 1’s side.

And at this point and after Person 1 was told by several other persons that this is no discussion Person 1 get’s slightly mad because they are always reminded of the fact that it’s no discussion. Rather than giving out more arguments to state their claims.

So please: start a real discussion, please.

If not (I personally think it’s already solved) this marks the end of this non-discussion. And no, it’s no silencing of anyone it’s just the logical next step.

This topic was automatically closed after 21 hours. New replies are no longer allowed.