password_policy icon indicating copy to clipboard operation
password_policy copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Different share link password policy

Open ModischFabrications opened this issue 5 years ago • 5 comments

Is your feature request related to a problem? Please describe. I regularly share folders via public links and want to have a baseline of privacy, which is why want to use a simple password, e.g. "NiceEvening", but I can't due to it being to unsafe. As I have discovered the password policy is shared between link sharing and user accounts, which to me have very different security requirements but are grouped together. This means that I either need to use long and complex passwords for just some uncritical photos of an evening or that I need to seriously reduce the requirements given to users, which I am definitely not ready to do.

Describe the solution you'd like I would like to have separate policies for links and for user accounts. "Sharing" already has a separate tab in the administration, the options could live there for example.

Describe alternatives you've considered It could be a plugin instead of a core functionality, I don't mind that, but I feel like separating link security from account security is something relatable and intuitive that wouldn't obstruct the existing menus too much.

Additional context Looks like I'm not alone, this is another post related to the problem, also describing the same problem: https://help.nextcloud.com/t/cannot-find-share-link-password-policy/22666

ModischFabrications avatar Dec 01 '19 21:12 ModischFabrications

Is there already a way to do this? Set maximum requirements for user passwords but remove all requirements for shared links. (in my case)

Quasardian avatar Jan 02 '21 23:01 Quasardian

I would like to add that there is no mention on the "Password Policy" configuraion that it applies to both the user passwords and the share link password feature.

In my case, I broke an automatic system that generates simple password for share link (since they are not that critical and the URL already makes them pretty secure) while changing the password policy for users.

Furthermore, the current "Password Policy" configuration includes User password history, days until user password expires and login attempts before the user account is blocked. (0 for no limit), which are all user's password specific feature, which reinforce the idea that those settings only apply to user passwords.

AceSlash avatar Jan 15 '21 11:01 AceSlash

I would also appreciate a way to define a different password policy for share passwords of all kind. From my point of view to implement this, there needs to be additional settings in the password policy app and new GenerateSecureSharePasswordEvent / ValidateSecureSharePasswordEvent events.

sualko avatar Jan 25 '21 10:01 sualko

@rullzer, @ChristophWurst, @dontknowwhoelse, I could imagine to have a look into this (as i'd like to have it, too). Are you ok with this in general?

  • Do you have some specific requirements/thoughts already?
  • Would you be ok with moving to webpack/vue? Feels indeed a bit overkill for two these two small settings, but i think the development/code would be a bit more compact and less complex... 🤔 🙈

jotoeri avatar Mar 14 '21 18:03 jotoeri

Follow-up of this: it looks like the "Minimum password length" was recently (during nextloud 22 release?) changed from 8 to 10.

The result is that this updated all instances to 10 minimum. While this looks like a bug in itself, this broke all my systems that generated short passwords for share links.

I know time is precious, but could you take a look at this? I'm thinking a checkbox like "Don't apply password policy to share links" would be great and maybe easier to implement.

AceSlash avatar Jan 17 '22 14:01 AceSlash