Why do I have to enter my master password soooo often?

TheGrue · December 28, 2023, 11:10am

I have to enter my password for the passwords app soooooooo often. Usually several times a day. I had to enter it three times in the last hour, which finally triggered this message. I’m seeing this behaviour since I installed the passwords app last year or so, but waited with a mail about it until I had a really recent version of nextcloud:

php occ passwords:system:report
{   
    "version": {
        "server": "27.1.5.1",
        "app": "2023.12.32-build5266",
        "lsr": false,
        "php": "8.2.7",
        "cronPhp": "8.2.7"
    },
    "environment": {
        "os": "Linux",
        "architecture": "x86_64",
        "bits": 64,
        "database": "mysql",
        "cron": "cron",
        "proxy": false,
        "sslProxy": true,
        "subdirectory": false
    },
    "services": {
        "images": "imagick",
        "favicons": "default",
        "previews": "default",
        "security": "hibp",
        "words": "random",
        "previewApi": false,
        "faviconApi": false
    },
    "settings": {
        "channel": "stable",
        "nightlies": true,
        "handbook": false,
        "performance": 5
    },
    "status": {
        "autoBackupRestored": false
    },
    "apps": {
        "guests": {
            "installed": false,
            "enabled": false
        },
        "occweb": {
            "installed": false,
            "enabled": false
        },
        "theming": {
            "installed": false,
            "enabled": false
        },
        "passman": {
            "installed": false,
            "enabled": false
        },
        "unsplash": {
            "installed": false,
            "enabled": false
        },
        "impersonate": {
            "installed": false,
            "enabled": false
        },
        "passwords_handbook": {
            "installed": false,
            "enabled": false
        }
    },
    "sharing": {
        "shares": 0
    },
    "encryption": {
        "sse": {
            "SSEv1r1": false,
            "SSEv1r2": true,
            "SSEv2r1": true,
            "SSEv3r1": false,
            "none": true,
            "default": "none"
        },
        "cse": {
            "CSEv1r1": true,
            "none": true,
            "default": "CSEv1r1"
        }
    }
}

This completely dismisses the usefulness of the app. Ok, I only have to enter one password, but I have to do it each time I need one…

It would be marvelous if you could help me with this issue, thanks!

mdw · December 28, 2023, 11:45am

That is how the encryption passphrase is expected to work. You need to enter it every time you open the app since it’s not being stored anywhere.

In some browsers you can store the passphrase in the browser and have it entered automatically when you open the app. (See wiki). That of course means that the passphrase is then stored in your browser as plain text.

TheGrue · December 28, 2023, 12:32pm

That’s an interesting approach. It leads to simple and unsafe master passwords.
Nevertheless, thanks for your information, I’ll have to live with it. I’ll have a look at the wiki, like you suggested

mdw · January 4, 2024, 2:59pm

There is nothing interesting here. This is an end-to-end encryption passphrase. It mustn’t be stored and it mustn’t be sent to the server. So it’s standard practice for E2EE to never store the passphrase and require the user to provide it.

The app will at some point run a security check on the passphrase. If it’s found to be insecure, it will force you to change it.