Forbid username, domain, themed name as password #96

Admin-Viatos · 2020-01-30T08:53:54Z

Hello everyone,

yesterday I discovered a strange thing: it’s possible to use the Username as password (testet in NC17 and NC18). App "password policy" is active.

If your Username rules the password policy you can set the Username as password

Should that be so ???

kesselb · 2020-01-30T09:09:29Z

cc @nextcloud/security

Nextcloud is also accepting contributions ;) Code for password_policy is here: https://github.com/nextcloud/password_policy

rullzer · 2020-01-30T09:24:48Z

@Admin-Viatos ah you found my secret TODO list.

So yes. Currently this is allowed. But you are right that it probably should not be.
Same goes for the domain, and the themed name of the site etc. All of this should be blocked in my opinion (or at least be configured to be blocked).

As said by @kesselb if you have any php coding skills (or want to learn). See https://github.com/nextcloud/password_policy where we handle this :)

georgehrke · 2020-01-30T15:28:06Z

Moving to password_policy repository ...

georgehrke transferred this issue from nextcloud/server Jan 30, 2020

georgehrke changed the title ~~Security-Flaw or Design - Username as Password?~~ Forbid username, domain, themed name as password Jan 30, 2020

georgehrke added 1. to develop enhancement labels Jan 30, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Forbid username, domain, themed name as password #96

Forbid username, domain, themed name as password #96

Admin-Viatos commented Jan 30, 2020

kesselb commented Jan 30, 2020

rullzer commented Jan 30, 2020

georgehrke commented Jan 30, 2020

Forbid username, domain, themed name as password #96

Forbid username, domain, themed name as password #96

Comments

Admin-Viatos commented Jan 30, 2020

kesselb commented Jan 30, 2020

rullzer commented Jan 30, 2020

georgehrke commented Jan 30, 2020