Public links scanning protection

Hello, I have a question regarding public folder/file sharing without a password.
Does the system have any protection against brute force scanning? I have the fear that someone can easily scan a server for public links.
Thanks for all.

If the link was not published anywhere on the Internet, i.e. could never be picked up by a search engine, it is almost impossible to find a link by brute force scanning.

The stochastic probability is almost non-existent: With a token length of 15 (which is the default length of the generated tokens), with 62 characters ([a-zA-Z0-9]), there are:


possible combinations.

And then you can also vary the token length (assuming you know how).

So from my side you get a “all-clear, don’t worry” :sunglasses:

1 Like


Regarding security, you still have to distinguish between attacks via the application, as in your case, and attacks on locally available files (e.g. encrypted ZIP files). In the case of attacks via the application, the attacker is limited by the speed of the application here Nextcloud. With encrypted ZIP files, for example, the attacker can buy any amount of cloud computing power worldwide for a distributed decryption attack. Thus, the threat in your case is much lower despite the same password length and password complexity.

Normal Nextclouds are usually only designed for a few thousand users and thus only a few thousand parallel accesses per second. It takes a long time to really try out all combinations. Decrypting ZIP files via one or more distributed systems is much faster.

If you have Nextcloud on a Pi, for example, it will take even longer. :grinning:
Perhaps bad hardware is the best protection. :grinning: