Password updates in desktop and mobile apps?

So, I really like Nextcloud, but it is BEYOND unforgiving whenever one sets password expiration - which we do, because our instance is public-facing.

It’s a pretty bad experience for end users, who obviously WILL be connecting to their Nextcloud account across devices and platforms, and the apps don’t seem to prompt users that they need to enter their new password or that credentials are the problem at all - they just… stop working, and then it kind of seems like the desktop apps eternally just… keep trying with the old password, resulting in a disabled account, and then eventually an IP ban.

This makes it incredibly difficult to administer Nextcloud - especially since, as far as I can tell, there’s no way to whitelist specific IP addresses, hostnames, or networks from IP bans, nor is there a way to easily control how many login attempts will disable an account, nor are the logs on the UI informative enough to tell where or from what app or integration a failed login is coming from.

It’d be nice to have a little more information in the logs in the UI, as well as some informative error messages. :face_with_raised_eyebrow:

There is actually an app for that purpose: Brute-force settings - Apps - App Store - Nextcloud

This is A solution, but I hesitate to call it THE solution, since the apps themselves are not particularly informative, nor are the logs. Do the desktop/mobile apps use token-based authentication?

To give you an idea: One of our users currently has Nextcloud Desktop installed on his machine. It isn’t syncing. It says “Offline”. There is nothing telling HIM his password is expired and he needs to reset it, and left-clicking the three little dots next to his account and left-clicking “Log In” does absolutely nothing. It doesn’t prompt him, it doesn’t do anything.

This is beyond words user unfriendly. I only figured out what its problem was by checking the logs, on the damn filesystem, because the logs in Nextcloud’s web interface provided no information about which user was having this problem, what IP address they were coming from, etc. Phenomenally useless logs on the web UI, and “Brute-force settings” doesn’t address these issues at all.

This is an end user support forum where users try to help other users. I usually try to focus on what can be done, rather than what can’t be done, when I’m answering to posts. I am also not a developer, so I can’t do anything about how logging and the login flow works.

And yes, the full log message is not always directly displayed in the Web UI, but you can copy the full message in raw format to the clipboard like this…

Bildschirmfoto vom 2022-09-01 08-04-00

In order to debug a specific issue, it might also be helpful to temporarily set the LogLevel to 1 or 0.

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html

Yes

I think the password is never used. Only at first access to the Nextcloud. Maybe someone can confirm it. Passwords are unsecure. Nobody whats to use them and Nextcloud Desktop/mobile apps do not need them. Youd need passwords only for init and in the web.

I have made a test for you.

  • i add a test user to my Nextcloud
  • i add the test user to my Android Nextcloud (once password was needed)
  • i changed the password of the test user in the web-gui of my Nextcloud
  • i stopped Android Netcloud
  • i started Android Nexcloud again
  • and nothing happens - all worked fine
  • why use a new password if i have tokens?
  • look in web here the sessions: https://cloud.server.tld/settings/user/security

And for security of systems without session/token e.g. web browser:
use 2FA and please do not use password change intervalls
Read this article (sorry german).