Educating Bild: password-protected sharing

The German tabloid Bild featured an article covering the press release published by the German Ministry of Defence about the recent leaks of WebEX calls between army generals. The Bild noted that the password the Ministry of Defence used for the shared Nextcloud link was „1234“, assuming this was meant to ’secure‘ the link.

While a press release is obviously meant to be public, which is why the simple password was chosen, you might wonder why the ministry didn’t just use a completely password-less link for their Nextcloud share?

Secure sharing with Nextcloud

Nextcloud differentiates itself from public clouds like Microsoft 365, Dropbox or Google Drive with a focus on privacy and data sovereignty. Unlike public clouds, Nextcloud often runs on private cloud environments, giving the organization deploying it direct control over the data. It wouldn’t make sense for the German government (or any other) to hand over important data to foreign tech firms, which is why Nextcloud is widely deployed in the European public sector.

Protect your public links with passwords

With Nextcloud, users can share directly with other users. This makes sure no data leaves the government data center. But sometimes data must be shared outside the organization, either to a single individual or fully in public like with a press release.

Nextcloud allows users to create one, or more, public links for this purpose. A public link lets a third party who has the link view and (depending on the settings) download and edit the file. As you might share a document for editing with one person, and create another link with only viewing permissions to a second, each link can have its own protections. Including a password, expiration date and more!

The system administrator can put in additional controls, to ensure data is always protected. The File Access Control can use rules to stop files from being accessed outside Germany, for example. Or a mandatory 30 day expiration date can make sure links get cleaned up after a while. And last, but very relevant, administrators can enforce a password on each public link.

This setting is clearly enabled on the Nextcloud server used by the German Ministry of Defense, and explains why a simple password (1234) had to be chosen. Note that administrators can even enforce a certain degree of password quality, blocking such simple passwords from being chosen by users!

In other words. Mr. Pistorius does not use the password ‚1234‘ to protect any data – it was meant to make it easy to access the press release.

We hope the readers at Bild appreciate out explanation!

For a more detailed exploration of our file sharing features available throughout Nextcloud, see our in-depth docs on File Sharing or our Sharing features overview.