Is there a plan for Nextcloud to implement a password manager as an “official” Nextcloud-maintained app?
I understand that there are several password managers available in the Nextcloud App Store (such as Passwords and Passman), but they are not always up to date with the latest Nextcloud releases. Furthermore, there is always the risk that a third-party app might stop being supported.
Integrating a password manager directly into the Nextcloud core (similar to how Nextcloud Photos or Notes were integrated) would provide better security, stability, and long-term reliability for end users.
you started a topic in development category. This category is intended for active developers of the core or apps in the Nextcloud ecosystem.
From the description in your topic, it is not clear if you are seeking help and advice about a concrete problem you have or you want to actually develop the corresponding solution.
If you accidentally posted in the category, just give a hint and a moderator can move to the corresponding category.
Generally speaking, the names apps are community apps as well. What makes you think these are somewhat special? Yeah, they are maybe better maintained (up to date with the current development of the server) but not provided by the NC company. Also, many devs at NC have their personal playground in Form of apps they started personally. These apps are typically (but not always) closer to the actual server development.
Thank you for the clarification and apologies for posting in the wrong category. I am not a developer, so I would appreciate it if a moderator could move this topic to the appropriate place.
My intention was simply to raise awareness with the Nextcloud development team about what I see as a genuine gap in the ecosystem: a Password Manager that is tightly coupled to the server release cycle and maintained with the same long term commitment as core features like Photos or Notes.
Nextcloud occupies a unique and important position in the self-hosted world. For many users, it is the most trusted open-source alternative to paid platforms like Google Workspace or Microsoft 365, precisely because it puts data ownership back in the hands of the user. That trust comes with an expectation of completeness. If someone is moving away from Big Tech to regain control of their data, they want a single, reliable platform that covers all their essential needs, including credential management.
I fully understand that community apps play a vital role in the Nextcloud ecosystem. However, as an end user who stores hundreds of unique credentials, the risk of a third-party password manager becoming abandoned or falling behind on server compatibility is a real concern. Passwords are arguably one of the most security/sensitive pieces of data a user can store, and that sensitivity makes the sustainability of a community maintained project particularly worrying. Whether it is a single volunteer, a small group of contributors, or a handful of developers maintaining the app in their spare time, all of them are subject to life changes, shifting priorities, burnout, or simply running out of time. Any of these scenarios could leave thousands of users with a critical security tool that is no longer updated, no longer compatible, or simply gone.
The case for tighter integration is not about distrust of community developers. It is about the nature of the data involved. A password manager that ships and is tested alongside each Nextcloud Hub release would give users confidence that it will not break on upgrade and will receive timely security patches.
I realize this may not align with Nextcloud’s current roadmap or available resources, and I respect that. I simply wanted to put the idea forward and hear whether there is any interest or ongoing discussion around it. If there is an existing thread or a more suitable channel for this kind of feature suggestion, I would be grateful for a pointer.
you express your concerns. I understand them and I have experienced with other projects that they were killed for lack of maintenance. That is unfortunate and (to some extent) part of the FOSS world.
The only alternative is to have a company with economic interest behind that. Then, we are no longer in FOSS area. This also means that you have to pay for the app or tool or whatever.
If you want to make sure that you can use an app infinitely, the pure FOSS way would be to participate in the development process. That way, you can take over once the main devs stop (theoretically). I know this is not feasible for everyone. So, you could nevertheless try to get in touch with the maintainers and see if you can help them. Reduce their burden so that some of the drawbacks you mentions are not as hard as they could be. Also, if the project is healthy, there might be other devs ready to assist in the case of personal problems.
I am not affiliated with NC company. So, I cannot speak in their name. I personally doubt that they will take the password app as part of the main core. Especially as there are app-less alternatives [1]. Taking some apps out and enforcing a company-based maintenance might also be the wrong signal to all community devs that they might lose control over their project anytime.
I would advice to take the chance and get in touch with the maintainer of the app. Maybe he/she will be at a public event (NC conference in Berlin in Sept?) and you can have a personal chat? If you voice your concerns, you can see their reaction. You can see, what is blocking the progress.
At least, with FOSS you have no vendor lock-in. So, you can export (hopefully) all your data into other systems that might be better suited for your personal usage if that was needed.
[1] If we are taking about the same app, this is based on the KeePass FOSS programm. That one (plus 1 or 2 forks of it) can be installed locally on your machine. Then, you can use the regular NC sync client to get the actual (encrypted) data file and open the passwords locally. I use it that way and think it way more comfortable than using a web frontend. Even if the NC app passed away, you still had access to the local files. But please check that and do not trust my half-knowledge blindly.
I appreciate the tip about the KeePass/Sync workflow, but that actually highlights my point.
Right now, I (and many others) use Vaultwarden because it just works. While KeePass is great for local files, it doesn’t compare to a modern server-side manager like Vaultwarden when it comes to daily use. For example:
Real-time Sync: I don’t have to worry about manual file conflicts; it’s just always updated on my phone and desktop instantly.
Web Access: I can log in from any browser if I’m away from my machine without software installation needed.
Sharing: It handles “Collections” perfectly, so I can share specific credentials with my family or team without giving them access to my whole vault.
The fact that I have to run a completely separate service just to get these basics shows a real functionality gap in Nextcloud.
From a bigger perspective, the push for Digital Sovereignty is a global movement. Whether it’s in Europe or anywhere else in the world, people are looking for a way to stay independent of tech giants. This is exactly where the FOSS world shines. The direct communication between developers and users allows us to build better, more transparent tools than any closed-source corporation ever could. But for Nextcloud to truly be that “all-in-one” alternative for the world, it can’t leave critical security pieces to the “best effort” of volunteers.
In 2026, a secure credential manager isn’t a “bonus feature”. It’s an essential infrastructure. Just like Mail, Calendar, and Photos became “official” to ensure long-term stability, I think identity management needs that same level of commitment.
I’ve actually already submitted a formal feature request for this here:
Thanks for the dialogue. This kind of open exchange is exactly why I prefer this ecosystem over the “Big Tech” alternatives.
This can also be an advantage: specialised applications are often better suited to their specific use cases than all-in-one solutions, which may cover a wide range of areas but do not necessarily shine in any particular one..
Nextcloud is also a relatively small player compared to Apple, Microsoft, or Google, and even they do not manage to offer all these features as well as specialized tools do. Otherwise, no one would still be using dedicated tools, and services like Bitwarden or 1Password would not exist.
I think Nextcloud should use its resources on core features like groupware and file sharing, and provide a stable platform so that developers can easily integrate extensions. This enables a broad ecosystem of applications to be built around Nextcloud.
Making every possible app or feature ‘official’ ultimately means taking on more maintenance burden. And if they want to guarantee that everything always works, they either need more paid developers, or existing developers need to spend time on maintenance of those apps instead of working on the core.
In my opinion, that is simply not feasible, and the modular approach where Nextcloud provides the core functionality while extensions handle additional use cases, is the more sustainable way forward.
By the way, as far as I can see, the Passwords app is well maintained and has been receiving regular updates for years. It may not always be compatible with the latest Nextcloud version on day one, but that is not really a disadvantage. In general, it is better to wait for one or two point releases before upgrading to a new major version of Nextcloud on a production system anyway. In my experience, the list of fixes included in .1 or .2 releases is usually still quite long
Also, this so-called “basic” feature actually has very high security requirements and requires quite a bit of specialized knowledge to implement properly. It is not something where I would want to see a few hastily written patches being rushed in just so the app is compatible with a new Nextcloud release on day one.
This is something where you really want to take your time and review patches carefully, especially from a security perspective. That is also why it can make sense to use a completely separate service or at least a dedicated app, maintained by developers who specialize in this area.
