Users tend to use the same passwords in multiple locations, which poses a significant risk in case passwords are stolen. Last Thursday, Security researcher Troy Hunt, known from his site HaveIBeenPwned, expanded his existing dataset of 306 million leaked passwords with another 200 million, bringing the total to half a billion. Organizations can use this list to check passwords against, ensuring their users don’t pick a password that is known and thus likely to be tried by hackers when trying to break into a system.
Pwned Passwords
His collection of passwords, named Pwned Passwords, uses SHA1 hashes of the passwords to allow checks against it. It also offers a counter to show how often a password is used in the database, with abc123 having a count of 2.5 million according to a blog by Hunt.
In this blog, Hunt also explains he gathered the 8,8GB worth of passwords from a series of public leaks and he warns strongly against using passwords part of his collection. He made them available to be collectively downloaded via a torrent and on his website he offers an API which can be used to check passwords against. It is a common practice of both attackers and defenders in computing security to built lists of commonly passwords which are in turn used in so called Rainbow Tables which are used to recover username/password combinations from encrypted, stolen databases. Or, like in this case, to ensure users don’t use previously breached passwords.
online check against haveIBeenPwned database
Password security in Nextcloud
Currently, Nextcloud allows administrators to enforce a NIST compliant password quality, which includes a check for commonly used passwords like ‚test‘ and ‚abcabc. The limitations are checked when a user chooses a new password, or when the admin creates a new user with password. The new test against the HaveIBeenPwned database queries its database through their public API, giving a warning if the password has been breached.
As shipping a 8.8 gb password database alongside Nextcloud would probably make the download a little to big for most users. By sending a partial hash (the first five characters), we avoid any increased risk of leaking the password as, even if intercepted, those first 5 characters of a long hash aren’t very to helpful crack the full password. Besides, the attacker wouldn’t know the user name. The administrator can enable or disable this feature – we still have to determine if we’ll enable it by default but likely not.
The new Password Policy settings in Nextcloud 13.0.1
This improvement helps make passwords more secure, avoiding the use of known breached passwords and adding to our brute-force protection, two-factor authentication and existing password quality checks to ensure strong account protection.
The new check will be part of Nextcloud 14 and might also be backported to Nextcloud 13 in one of the upcoming patch releases. While this technically qualifies as a new feature (and backporting features always comes at a risk), password security is very central to keeping data under control and thus worthy of some extra testing effort. We still recommend to use the built in two-factor authentication to provide additional protection against stolen passwords!
Update: the code has been reviewed and merged and will be backported to 13.0.1. It will be disabled by default.
Nextcloud ist die erste Cloud-Plattform, die mit dem Umweltzeichen „Blauer Engel“ ausgezeichnet wurde und damit beweist, dass eine digital souveräne und grüne IT möglich ist.
Unternehmen, ob klein oder groß, brauchen eine Möglichkeit, die Ausfallsicherheit und digitale Souveränität ihrer Abläufe zu gewährleisten - eine Open-Source-Alternative zu Teams, die die Privatsphäre respektiert. Und heute stellen wir diese Lösung vor - Nextcloud Talk.
Bechtle und Nextcloud kündigen heute eine vollständig verwaltete Kollaborationsplattform für den öffentlichen Sektor an, die keiner Ausschreibung bedarf und sofort bereitgestellt werden kann.
Our mission is to help individuals, businesses and organizations achieve digital sovereignty and regain control over their data. Nextcloud Hub 5 marks a massive step forward towards achieving this mission, putting the power of AI into your hands – in a way that keeps you in control. New release, new possibilities Hub 5 builds on […]
With the Nextcloud Community Conference, we are bringing together contributors, fans, and first-time attendees for two days of talks, workshops, and sharing experiences on 27 and 28 September in Berlin, Germany. But the event doesn’t stop there! We will continue our ventures during the Nextcloud Contributor Week from 29 September to 2 October with our […]
Mit einem neuen Impulspapier gibt Schleswig-Holstein der Debatte um den Deutschland-Stack frischen Schwung. Die im Koalitionsvertrag der Bundesregierung erwähnte Idee einer souveränen, interoperablen und europakompatiblen digitalen Infrastruktur war bisher eher ein politischer Anspruch als ein umsetzbarer Plan. Das Impulspapier, entstanden nach einem Fachgespräch im Juli 2025 mit Vertreter*innen aus Verwaltung, Wirtschaft und Open Source Community, […]
The landing page for our upcoming Nextcloud Hub release is now live! On September 27, 2025, at 10AM (CEST), we will present the latest Nextcloud Hub live from the Nextcloud Community Conference in Berlin, Germany. And you can be part of it, too, by signing up for the online launch! While you’re registering, you might […]
Wir speichern einige Cookies, um Besucher zu zählen und die Nutzung der Website zu erleichtern. Diese verlassen unseren Server nicht und dienen nicht der Verfolgung Ihrer online-Aktivitäten.
Weitere Informationen hierzu finden Sie in unserer Datenschutzrichtlinie. Anpassen
Statistik-Cookies sammeln anonym Informationen und helfen uns zu verstehen, wie unsere Besucher unsere Website nutzen. Wir verwenden cloud-gehostetes Matomo
Dienst:Matomo
Cookie-Beschreibung:
_pk_ses*: Zählt den ersten Besuch des Benutzers
_pk_id*: Hilft, die Besuche nicht doppelt zu zählen.
mtm_cookie_consent: Erinnert daran, dass der Nutzer seine Zustimmung zur Speicherung und Verwendung von Cookies gegeben hat.
Cookie-Ablauf:_pk_ses*: 30 Minuten
_pk_id*: 28 Tage
mtm_cookie_consent: 30 Tage
Comments