<![CDATA[Increase length of app passwords]]>I think it’s less than 20 characters. +50 characters would be nice. +100 would be ideal. Is there a technical reason why it’s this low?

Dashboard > profile > app passwords > generate

]]>https://forum.cloudron.io/topic/7908/increase-length-of-app-passwordsRSS for NodeSun, 14 Jun 2026 10:19:40 GMTThu, 03 Nov 2022 23:36:39 GMT60<![CDATA[Reply to Increase length of app passwords on Fri, 04 Nov 2022 12:02:59 GMT]]>@girish It sure did. I thought it was a simple matter of brute forcing 16 characters. I’m glad that’s not the case. Thanks for the clarification!

]]>https://forum.cloudron.io/post/55366https://forum.cloudron.io/post/55366Fri, 04 Nov 2022 12:02:59 GMT<![CDATA[Reply to Increase length of app passwords on Fri, 04 Nov 2022 08:03:54 GMT]]>@humptydumpty Internally, the password is 64 bits / 8 bytes. It's random 8 bytes , so not just the ascii space. This password is then stored hashed in the database.

Cracking this is a lot of "work". For example, https://security.stackexchange.com/questions/43683/is-it-possible-to-brute-force-all-8-character-passwords-in-an-offline-attack has some numbers and that's only over 96 characters in each byte as opposed to our 256 characters range. Most rainbow tables also won't work because our character set is broader.

Hope that clarifies the logic.

]]>https://forum.cloudron.io/post/55352https://forum.cloudron.io/post/55352Fri, 04 Nov 2022 08:03:54 GMT<![CDATA[Reply to Increase length of app passwords on Fri, 04 Nov 2022 04:07:37 GMT]]>@subven Interesting to learn about SFTP limits. That limit doesn't apply to mail and other apps though. The reason I brought this up is because (iirc that is) nextcloud won't log in on iOS if 2FA TOTP plugin is installed & active for the user. I think I had to temporarily disable TOTP, log into the app on the phone, and then re-enable 2FA in NC.

Edit: here are the apps that I have installed and can make use of the generated app passwords:

  • mail client
  • wekan (app)
  • alltube (app)
  • etherpad (app)
  • matrix (app)
  • wordpress (app & sftp)
  • surfer (app & sftp)
  • paperless (sftp only)
]]>https://forum.cloudron.io/post/55347https://forum.cloudron.io/post/55347Fri, 04 Nov 2022 04:07:37 GMT<![CDATA[Reply to Increase length of app passwords on Fri, 04 Nov 2022 03:25:01 GMT]]>It's 16 chars and this is best practice for SFTP. There are technical limits for some older clients (where 16 is the limit and special chars can break the setup) and 16 char random letters+numbers is pretty much impossible to break at the moment. More might be better but in this case it is still enough to rely on.

]]>https://forum.cloudron.io/post/55345https://forum.cloudron.io/post/55345Fri, 04 Nov 2022 03:25:01 GMT