Users tend to use the same passwords in multiple locations, which poses a significant risk in case passwords are stolen. Last Thursday, Security researcher Troy Hunt, known from his site HaveIBeenPwned, expanded his existing dataset of 306 million leaked passwords with another 200 million, bringing the total to half a billion. Organizations can use this list to check passwords against, ensuring their users don’t pick a password that is known and thus likely to be tried by hackers when trying to break into a system.
Pwned Passwords
His collection of passwords, named Pwned Passwords, uses SHA1 hashes of the passwords to allow checks against it. It also offers a counter to show how often a password is used in the database, with abc123 having a count of 2.5 million according to a blog by Hunt.
In this blog, Hunt also explains he gathered the 8,8GB worth of passwords from a series of public leaks and he warns strongly against using passwords part of his collection. He made them available to be collectively downloaded via a torrent and on his website he offers an API which can be used to check passwords against. It is a common practice of both attackers and defenders in computing security to built lists of commonly passwords which are in turn used in so called Rainbow Tables which are used to recover username/password combinations from encrypted, stolen databases. Or, like in this case, to ensure users don’t use previously breached passwords.
online check against haveIBeenPwned database
Password security in Nextcloud
Currently, Nextcloud allows administrators to enforce a NIST compliant password quality, which includes a check for commonly used passwords like ‘test’ and ‘abcabc. The limitations are checked when a user chooses a new password, or when the admin creates a new user with password. The new test against the HaveIBeenPwned database queries its database through their public API, giving a warning if the password has been breached.
As shipping a 8.8 gb password database alongside Nextcloud would probably make the download a little to big for most users. By sending a partial hash (the first five characters), we avoid any increased risk of leaking the password as, even if intercepted, those first 5 characters of a long hash aren’t very to helpful crack the full password. Besides, the attacker wouldn’t know the user name. The administrator can enable or disable this feature – we still have to determine if we’ll enable it by default but likely not.
The new Password Policy settings in Nextcloud 13.0.1
This improvement helps make passwords more secure, avoiding the use of known breached passwords and adding to our brute-force protection, two-factor authentication and existing password quality checks to ensure strong account protection.
The new check will be part of Nextcloud 14 and might also be backported to Nextcloud 13 in one of the upcoming patch releases. While this technically qualifies as a new feature (and backporting features always comes at a risk), password security is very central to keeping data under control and thus worthy of some extra testing effort. We still recommend to use the built in two-factor authentication to provide additional protection against stolen passwords!
Update: the code has been reviewed and merged and will be backported to 13.0.1. It will be disabled by default.
Bechtle et Nextcloud ont annoncé aujourd'hui une plateforme de collaboration entièrement administrée pour le secteur public, qui ne nécessite pas d'appel d'offres et peut être déployée immédiatement.
Le 24 avril prochain, nous réunirons des professionnels de l'industrie et des acteurs clés dans le domaine des technologies de l'information pour favoriser le réseautage, partager des connaissances, présenter des cas d'usage et échanger sur les dernières avancées technologiques autour de Nextcloud.
Découvrez comment passer de ownCloud à Nextcloud. Notre outil d'aide à la migration fournit des informations sur le processus de migration et vous aide à effectuer la transition en douceur.
Au cours de la dernière année, l'IA est devenue un sujet à la mode. Il y a de l'engouement, mais aussi du fondement. Il y a du positif et du négatif. Nous voulons vous offrir le positif, pas le négatif, et ignorer le battage médiatique ! […]
We are excited to announce SpaceNet as a new sponsor of the Nextcloud Enterprise Day, a leading provider offering tailored Nextcloud hosting solutions that ensure robust security, efficiency, and data sovereignty.
We're thrilled to reveal T-Systems, part of Deutsche Telekom and a prominent global IT service provider, as the latest sponsor of Nextcloud Enterprise Day. Join us on April 24, 2024, in Munich, Germany, for this pivotal event.
The German tabloid Bild featured an article covering the press release published by the German Ministry of Defence about the recent leaks of WebEX calls between army generals. The Bild noted that the password the Ministry of Defence used for the shared Nextcloud link was « 1234 », assuming this was meant to ‘secure’ the link. While […]
Nous enregistrons certains cookies pour compter les visiteurs et faciliter l'utilisation du site. Ces données ne quittent pas notre serveur et ne sont pas destinées à vous suivre personnellement ! Consultez notre politique de confidentialité pour plus d'informations Personnaliser
Les cookies utilisés pour enregistrer les données saisies dans les formulaires, telles que le nom, l'adresse électronique, le numéro de téléphone et la langue préférée.
nc_form_fields
Mémorise les données saisies dans les formulaires pour une prochaine visite (nom, adresse électronique, numéro de téléphone et langue préférée).
Les cookies statistiques collectent des informations de manière anonyme et nous aident à comprendre comment nos visiteurs utilisent notre site web. Nous utilisons la solution open source de mesure de statistiques web Matomo
Matomo
_pk_ses*: Compte la première visite de l'utilisateur
_pk_id*: Aide à ne pas compter deux fois les visites.