passphrase is very known and more secure than passwords
True, but only if you pick those 12 words trully randomly from ~170k words of the Oxford Dictionary, and compare it with password of 8 chars from 23 letters of alphabet. That’s theory.
In reality average native speaker is using ~10k words (non-native maybe 1000) and for passphrase picks words so that they are logically connected (significantly reducing randomness) and thus easy to remember. Compare it then with 25-char password selected from ~80 small/big letters, numbers and special chars!
BTW, passphrase is intended to be easier to remember, but not to be more secure than passwords.
Ok… I have read all the wiki, so i understand your concerns but I read this also :
“But passwords are typically not safe to use as keys for standalone security systems (e.g., encryption systems) that expose data to enable offline password guessing by an attacker. Passphrases are theoretically stronger, and so should make a better choice in these cases. First, they usually are (and always should be) much longer—20 to 30 characters or more is typical—making some kinds of brute force attacks entirely impractical. Second, if well chosen, they will not be found in any phrase or quote dictionary, so such dictionary attacks will be almost impossible.”
And its not necessary to take wordsI in the oxford dictionary. The article says that you have to take non common words. So you can take the larousse French dictionary, the dictionary of the computer lexical…
Use keepassXC To generate strong passphrase (linux, windows, mac)
With every password scheme, there are ways to reduce complexity. S€cr3tP@ssw0rd is long, has special characters, numbers, … but does it look very random? With the words, it is easier to remember, you can even remember words with no or little logical connection, mix with other languages, use typos, …
Except with password managers, the password remains a weak point since we can’t memorize an often changing very complex password. For that reason, Nextcloud pushed 2FA, could be an idea for E2E encryption to add a second factor (U2F device) as well, especially if a device is lost.
You are entirely correct, IF the passphrase was chosen by the user. But it is not, our client picks for you. The only reason we use a passphrase is to make it easier to type in another client - it is much easier to type a string of words than a long string of random characters. You can read more in the whitepaper covering the design of our E2E solution, where we also calculate the entropy of this solution.
Note, also, that we don’t expect users to remember the passphrase, you only need it when adding another device so you don’t use it often enough to remember anyway. It is GOOD to write it down, as you will lose access to your data if you lose the passphrase, but we each of your devices can show the passphrase at any time so that should generally keep it quite safe.
Yeah, the dev forgot to update the description. The latest version of the app is the production-ready version and as soon as he does another update it should also say so in the description as i updated it. Sadly we can’t update the description without updating the app (they are tied together in the app store).
Hi. What I’m looking for is a list of what does and does not work in regards to Nextcloud’s e2e implementation across the server, desktop and mobile clients. It has not been stable, nor feature full since originally announced.
Definitely interested to know if the encryption (and recovery) are truly reliable at this point.
@jospoortvliet probably my question above got lost: what about the availability of the new client for Linux on PPA? It appears that the archive is owned by Nextcloud so I expect somebody from NC needs to take care of this, right?
Hi, I just installed the appimage on Debian Testing, but the end-to-end encryption isn’t working. The dialog box displays “This account supports end-to-end encryption” with a “Display mnemonic” button. I press that button, enter 12 words but it never changes to “enable encryption” as shown in the video released by NextCloud. Any suggestions? I’m running Version 3.0.0 (Debian) desktop client, and Nextcloud 19.0.1.1 on a VPS. Any suggestions would be greatly appreciated. Thanks.
This sounds like you’ve forgotten to install the E2E app on the server-side. After that the client will show you the generated mnemonic, you don’t define it yourself.
Only time will tell. We couldn’t find any bugs in our testing, otherwise we would not have released it, but that doesn’t mean there are no bugs. It got not as much testing as we had hoped from users, but that is not something we control.
You can already find Nextcloud Desktop client packages included in openSUSE Tumbleweed, Arch Linux and Fedora. You can find Ubuntu/Debian packages in this PPA. Packages for Alpine Linux over here. See the latest state and more packages in this post on our forums. Can’t find packages? Ask your distribution or contribute to creating them!
Since end-to-end encryption requires and empty folder on the server to sync to, what happens if you try to sync a second computer to a top level folder on the server that contains and encrypted folder with data in it? Will it fail? Thank you.
