Increase length of app passwords

humptydumpty

I think it’s less than 20 characters. +50 characters would be nice. +100 would be ideal. Is there a technical reason why it’s this low?

Dashboard > profile > app passwords > generate

subven

It's 16 chars and this is best practice for SFTP. There are technical limits for some older clients (where 16 is the limit and special chars can break the setup) and 16 char random letters+numbers is pretty much impossible to break at the moment. More might be better but in this case it is still enough to rely on.

humptydumpty

@subven Interesting to learn about SFTP limits. That limit doesn't apply to mail and other apps though. The reason I brought this up is because (iirc that is) nextcloud won't log in on iOS if 2FA TOTP plugin is installed & active for the user. I think I had to temporarily disable TOTP, log into the app on the phone, and then re-enable 2FA in NC.

Edit: here are the apps that I have installed and can make use of the generated app passwords:

• mail client
• wekan (app)
• alltube (app)
• etherpad (app)
• matrix (app)
• wordpress (app & sftp)
• surfer (app & sftp)
• paperless (sftp only)

girish

@humptydumpty Internally, the password is 64 bits / 8 bytes. It's random 8 bytes , so not just the ascii space. This password is then stored hashed in the database.

Cracking this is a lot of "work". For example, https://security.stackexchange.com/questions/43683/is-it-possible-to-brute-force-all-8-character-passwords-in-an-offline-attack has some numbers and that's only over 96 characters in each byte as opposed to our 256 characters range. Most rainbow tables also won't work because our character set is broader.

Hope that clarifies the logic.

humptydumpty

@girish It sure did. I thought it was a simple matter of brute forcing 16 characters. I’m glad that’s not the case. Thanks for the clarification!