Password app question

Hi,
I have never used it wonder if this is something that works like floccus for my browser bookmarks sync ?

I don’t know what the use of the password app is and how secure it is.

Can someone outline what it’s feature are and if it’s secure etc.

Thanks

It’s a password manager similar to Bitwarden or Last Pass. There are also Android and iOS apps and Browser extensions for Chrome and Firefox. So yes you could say it is something like floccus for passwords.

Why not just test it with some less critical accounts. If you want to read up on the features you can find all the details here…

https://apps.nextcloud.com/apps/passwords

and here:

https://git.mdns.eu/nextcloud/passwords/

That’s not an easy question to answer. Until someone does a proper code audit, I guess you have to trust the developers that they know what they are doing. It is also open source, so in theory you could check the code for vulnerabilities. I for myself can’t because I’m neither a developer nor a security researcher. This is one reason why I stick with Bitwarden, respective a selfhosted Vaultwarden instance and the Bitwarden clients apps.

And I also think that something as crucial as a passwortd manager should run on it’s own. You should minimize the attack vectors as much as you possibly can, and I am therefore not a fan of integrating it into a larger and more complex system like Nextcloud. But that’s just my personal opinion.

1 Like

You can also watch a video.

Thanks that’s an informative video.
I have some further questions about how to use it.

From the vid, it looks like your required to open pages from within the nextcloud password manager.
So does this mean that the passwords app is also being used as a bookmarks / password app ?

Please clarify
Thanks

Ahhh ok I think I see.
There is a Nextcloud Passwords extension that I would use with my browser right ?
From your vid link I see the app being used with files and folder, but I guess the browser extension interacts with the nextcloud password app in the same way the bookmarks extension works with nextcloud bookmarks ?

Please confirm.

Not exactley the same way… The Bookmarks browser extension is a sync client that synchronizes the bookmarks that are stored in your browser to your Nextcloud and vice versa. The Passwords Browser Extension, on the other hand, does not sync any passwords that might already be stored in your Browser or make any use of the built in password managament features of your browser. But yes, at the end of the day it makes the passwords, that are stored on your Passwords server available to your browser, so in that sense it’s similar to floccus.

The exact features are listed here and in the add-on stores of the browsers. But again, why not try it out…? Ultimately, you are the only one who can decide whether it fits your needs.

I am just getting around to trying this but as you stated “will not make use of the passwords that already exist on the browser” ?

Are you sure ? That sounds like something I would want.

I mean what happens if you change a password at a site in your browser ? Will it write the new password both to the browser and the the passwords at nextcloud ?

Seems like it should.

So I installed. There was a way to import passwords from browser to nextcloud passwords.

I do not know how this talks to the extension or app etc. but seems ok.

Curious about what this notice is in the browsers all the time.

In the right side of the address bar I keep getting this icon / notices to install stuff. It seems to create want to create desktop shortcuts which I don’t want. Sometimes it’s a shortcut for TALK or sometimes asking to install PASSWORDS or even a shortcut to help.nextcloud.com.
This concerns me unless I know what it is. Did I turn something on in the browser that I don’t know about ? Not related to passwords or something else ? Thanks

I remove them but then there is a folder of stuff left behind that I don’t know what they do.

Please advise
Thanks

I’m sure many would love this functionality. But browser extensions can only interact with the browser trough APIs provided by the browser and there simply is none.

Mozilla initially showed some interest in it but hasn’t really made any progress after developing a prototype of the API. However work stopped after that and it seems that Mozilla instead wants to establish Firefox as your password manager.

Google obviously never made any attempt at giving others access to your precious passwords as your passwords are sensitive private data and the only way they can be stored safely is by putting them in plain text on Google servers forever where Google can make sure that no one ever accesses them because after all there is no way your private and ad relevant data would be in bad hands at Google.

I’m not sure but it sounds like your browser is informing you that you can use Nextcloud as a “progressive web app” where you get a desktop icon which opens Nextcloud as a standalone app instead of a browser tab.

That is not related to the passwords app or the browser extension. To install the browser extension and connect it to Nextcloud see the setup guide.

1 Like

I think understand and yes the option in the address bar is not part of passwords but I only noticed it after I installed the passwords extension. I probably just never noticed it before.

As far as API’s go, I assume there is one for bookmarks since this can sync in both directions and just nothing like this for passwords ?

Yet I can import/export the passwords but I guess that’s totally different and Brave has some syc chain feature for all your devices but I don’t know how that works exactly. Edge browser does the same and with passwords so I have no idea how they can do it. Still no API for our side thought I guess.

Thanks it’s been a lot of help and I have a lot of things working perfectly on my nextcloud server.

Just learning how to use it and what apps might be useful for me.

One thing that confuses me about passwords is all these extensions out there that can sync to their servers somehow ? Yet I don’t like that idea and why I installed my own server to begin with.
How do they get this done ?

I don’t really understand it all.

One other thing is also that I installed, imported, then removed the app. Then re-installed and all the passwords data is still there. I don’t like this idea. So now I have to find where they are and how to delete them.

I am experimenting with passwords app and browser extension.

I don’t think I like the extension much. I mean like the browser anyone who can access the PC browser has your passwords. Stored on the browser or nextcloud with extension is sort of the same.

However, on the nextcloud “without” extension and ability to login with client and/or extensions might be better for just knowing if someone stole your computer then they couldn’t just turn it on and access all your passwords. I’m sure people have struggled with this subject for years now that I’m only starting to think about it more.

I should figure out how to clean this subject up into all the important info that you provided for me and what I’ve learned since.

I can see the extension feature for nextcloud passwords and it makes passwords accessible via the extension which you can also edit and change via the extension too.

So theoretically you would not need to have your browser save any passwords technically but just use nextcloud and extension if you wanted to.

Exactley this.

Btw. Other password managers like Bitwarden, 1 Password etc. do it the same way. The extensions synchronize with the corresponding server backends and do make the passwords available in the browser. But the the built-in password storage function of the browser is not used for any of this.

Enabling End-To-End encryption will require the encryption passphrase to be entered before acessing the passwords. See here how to set it up (recommended) or in the screenshot below.

It’s common troubleshooting for admins to uninstall and reinstall an app. If that would delete all data, it would be an unpleasant surprise for many admins. Users have the option to delete your data in the settings and admins via an occ command. Additionally, if a user account is deleted, the user data is also purged from the app.

Not sure if i understand you completely here. Do you mean that there is any extension out there that can sync the passwords stored in your browser to their own server? If so, do you have examples?

Not that I’m aware of… But It is possible to run your own Firefox Sync server. But I have never tested this myself…

https://github.com/mozilla-services/syncserver

https://mozilla-services.readthedocs.io/en/latest/howtos/run-sync-1.5.html

Ok this makes sense, and now that it’s installed and I’m using the extension and I get a message on the server that I need nextcloud 23 now for this app

Like I mentioned Chrome based Edge browser syncs everything including passwords and it mirrors my other devices as well.

Brave syncs passwords accross all devices too with something called sync chain or something.

When I search Chrome extensions for password sync their many of their descriptions indicate syncing across all platforms and all devices. Keeper for example says this just one of many.

I don’t know how their doing this or how it works at all but somehow they sync across all devices.

Thanks for all the responses It’s been helpful and now I’m wondering if passwords app will continue to be developed.

I may need to upgrade to nextcloud 23 but I don’t want to break my install. I only just got things running right.

The question is whether you want to host the server backend yourself or not and whether you want to manage the passwords independently of a particular browser or not.

If you use the integrated password managers of the browsers, they synchronize the passwords via their own servers. So Edge synchronizes with your Microsoft account, Chrome with the Gogele account etc…

Then there are browser independent password managers, like Bitwarden, Keeper, 1Password etc. that provide their own server backend as a service, and corresponding apps and browser extensions. This has the advantage that you are not tied to a specific browser, or to a browser at all.

For some of these services, such as Bitwarden, the server backend can also be self-hosted, or in the case of Passwords, it even has to be self-hosted with the Nextcloud Server App.

AHHHHHHH OK. I think I see. This subject has overlapping details that a person needs to figure out and knowing what “passwords” is doing and suppose to do is probably what I should have understood in the very beginning.

So really I am hosting my own passwords but selectively choosing whether or not I want my browser to also save them or not.
Or perhaps just turn off the browser saving feature completely and strictly use the “passwords app” and possibly with extension.

So not API for self hosting option only hidden features built by the browser makers etc. I think I get it now.

I am learning to use passwords for this reason and prefer to host myself.
Thanks for taking time to read my lengthy posts. I’m very interested in this and it’s been super helpful since I plan to use this long term for my friends and family.

My install shows PHP GDlib Renderer but (Imagick - Recommended).
I assume I don’t have Imagic on my install since it defauled to GDlib ?

I installed Ubuntu Server 20.04, nextcloud snap install Version 22.
I really don’t know what the snap install defaulted to.
Thanks

You can ignore this since you installed NC via snap. You will get the update to NC 23 automatically, others who installed Nc manually need to update manually.

I think imagick is not installed in the snap version, see Nextcloud snap 17.0.3 missing php imagick extension · Issue #1269 · nextcloud-snap/nextcloud-snap · GitHub

1 Like