Users tend to use the same passwords in multiple locations, which poses a significant risk in case passwords are stolen. Last Thursday, Security researcher Troy Hunt, known from his site HaveIBeenPwned, expanded his existing dataset of 306 million leaked passwords with another 200 million, bringing the total to half a billion. Organizations can use this list to check passwords against, ensuring their users don’t pick a password that is known and thus likely to be tried by hackers when trying to break into a system.
Pwned Passwords
His collection of passwords, named Pwned Passwords, uses SHA1 hashes of the passwords to allow checks against it. It also offers a counter to show how often a password is used in the database, with abc123 having a count of 2.5 million according to a blog by Hunt.
In this blog, Hunt also explains he gathered the 8,8GB worth of passwords from a series of public leaks and he warns strongly against using passwords part of his collection. He made them available to be collectively downloaded via a torrent and on his website he offers an API which can be used to check passwords against. It is a common practice of both attackers and defenders in computing security to built lists of commonly passwords which are in turn used in so called Rainbow Tables which are used to recover username/password combinations from encrypted, stolen databases. Or, like in this case, to ensure users don’t use previously breached passwords.
online check against haveIBeenPwned database
Password security in Nextcloud
Currently, Nextcloud allows administrators to enforce a NIST compliant password quality, which includes a check for commonly used passwords like ‘test’ and ‘abcabc. The limitations are checked when a user chooses a new password, or when the admin creates a new user with password. The new test against the HaveIBeenPwned database queries its database through their public API, giving a warning if the password has been breached.
As shipping a 8.8 gb password database alongside Nextcloud would probably make the download a little to big for most users. By sending a partial hash (the first five characters), we avoid any increased risk of leaking the password as, even if intercepted, those first 5 characters of a long hash aren’t very to helpful crack the full password. Besides, the attacker wouldn’t know the user name. The administrator can enable or disable this feature – we still have to determine if we’ll enable it by default but likely not.
The new Password Policy settings in Nextcloud 13.0.1
This improvement helps make passwords more secure, avoiding the use of known breached passwords and adding to our brute-force protection, two-factor authentication and existing password quality checks to ensure strong account protection.
The new check will be part of Nextcloud 14 and might also be backported to Nextcloud 13 in one of the upcoming patch releases. While this technically qualifies as a new feature (and backporting features always comes at a risk), password security is very central to keeping data under control and thus worthy of some extra testing effort. We still recommend to use the built in two-factor authentication to provide additional protection against stolen passwords!
Update: the code has been reviewed and merged and will be backported to 13.0.1. It will be disabled by default.
The landing page for our upcoming Nextcloud Hub release is now live! On September 27, 2025, at 10AM (CEST), we will present the latest Nextcloud Hub live from the Nextcloud Community Conference in Berlin, Germany. And you can be part of it, too, by signing up for the online launch! While you’re registering, you might […]
In early 2025, BigTech hyperscalers in the US began to push new “sovereign cloud” offerings in a big PR campaign in Europe. In the past weeks, their narrative has collapsed. It’s not critics or watchdogs exposing the contradictions — the tech firms themselves have admitted their "sovereign" promises are empty.
In the Nextcloud 2024 wrap-up, we want to take a moment to celebrate this year's achievements. Join us as we continue to reimagine what’s possible - shaping a world where open source, privacy and connection come together and drive progress for the greater good.
Organisations, small and large, need a way to ensure the resiliency and digital sovereignty of their operations – an open-source, privacy-respecting alternative to Teams. And today, we present that solution - Nextcloud Talk.
Nextcloud has been recognized with the World Summit Award Germany that selects and promotes local digital innovation improving society, aiming to contribute to the United Nations' agenda of sustainable development goals.
DIE ZEIT, a prominent German outlet, interviewed Nextcloud’s founder Frank Karlitschek for an article on Microsoft’s anti-competitive behaviour on the European office software market. Read for a recap of the article and the key takeaways.
MagentaCLOUD’s migration to Nextcloud in 2021 resulted in a fully equipped Online Storage with an integrated online office suite that further improves the user experience, flexibility and security for customers.
We bring you a major update to the Nextcloud AI Assistant, plus the news we work with several big hosting providers like IONOS and OVHcloud to bring AI-as-a-Service options to you!
Bechtle and Nextcloud announce today a complete managed collaboration platform for the public sector that requires no tender and can be deployed immediately.
Discover how to make the switch from ownCloud to Nextcloud. Our quick guide provides insights into the migration process, helping you make the transition smoothly.
Today, US-based file sync & share vendor Kiteworks announced their acquisition of ownCloud and Dracoon. Kiteworks points out that their customers now have access to their file-sharing application. It is to be expected they will not maintain 3 similar products, but customers will have to migrate to the US firms’ platform or look for another […]
As part of Schleswig-Holstein's state digitization strategy, the state chancellery has announced they will work with Nextcloud to develop AI for working with government documents. This comes just after we announced the first private AI assistant last weekend with Hub 6. The German state already uses Nextcloud and their AI strategy aligns with our work on ethical, local AI technologies.
Over the last year, AI has become a popular topic. Some is hype, some is substance. Some is good, some is bad. We want to give you the good, not the bad, and ignore the hype! AI has a ton of opportunity – but also risk. So we put you in control – off by […]
With the EU law proposal “Regulation to Prevent and Combat Child Sexual Abuse” — more commonly know as the EU Chat Control Law — our democracy is threatened from the inside: by our own governments. Citing child protection as the reason, the EU wants to backdoor end-to-end encryption, so they can access and read any […]
Join our workshops on September 27 and 28 as we come together in Berlin, Germany, for the Nextcloud Community Conference: a weekend of connecting, sharing, and building together. This year, we’re excited to bring you a series of hands-on workshops designed to help you sharpen your skills, explore new ideas, and collaborate with experts. From […]
We save some cookies to count visitors and make the site easier to use. This doesn't leave our server and isn't to track you personally!
See our Privacy Policy for more information. Customize
Statistics cookies collect information anonymously and help us understand how our visitors use our website. We use cloud-hosted Matomo
Service:Matomo
Cookies description:
_pk_ses*: Counts the first visit of the user
_pk_id*: Helps not to double count the visits.
mtm_cookie_consent: Remembers that consent for storing and using cookies was given by the user.
Cookies expiry:_pk_ses*: 30 minutes
_pk_id*: 28 days
mtm_cookie_consent: 30 days
Comments