Setting a strict password policy on Nextcloud could prevent your user’s accounts from getting hacked. Find out how.
Nextcloud is one of the most flexible, user-friendly, and cost-effective on-premises cloud server solutions you’ll find. Once it’s up and running, you’ll discover there’s not much this platform can’t do. However, there are a few things you should take care of as soon as you have Nextcloud running.
One such task you should immediately handle is the setting of password policies. Fortunately, Nextcloud has this feature built right in, so there’s no need to add a third-party application or even bother with a manual configuration.
SEE: Serverless computing: A guide for IT leaders (TechRepublic Premium)
Why do this?
This question shouldn’t have to be asked. But on the off-chance you are either unsure or you have to convince someone, it’s simple: If left to their own devices, users will opt to go with passwords like password, password123, 12345, etc. That is far from secure and should never be allowed. That’s why you want to enable password policies any chance you can.
With that said, I’m going to walk you through the process of enabling and configuring a password policy for Nextcloud.
What you’ll need
The only things you’ll need for this process are:
How to enable the Password Policy
Log into your Nextcloud instance as an admin user. Click on your profile image in the upper right corner and then click Settings (Figure A).
Figure A
The Settings entry in the Nextcloud menu.
” data-credit rel=”noopener noreferrer nofollow”> The Settings entry in the Nextcloud menu.
In the resulting window, click Security in the left navigation (Figure B).
Figure B
The Security entry in the Nextcloud sidebar.
” data-credit rel=”noopener noreferrer nofollow”> The Security entry in the Nextcloud sidebar.
Scroll down to the Password Policy entry (Figure C).
Figure C
The Password Policy configuration section.
” data-credit rel=”noopener noreferrer nofollow”> The Password Policy configuration section.
Make sure that Forbid Common Passwords is enabled–that should be considered an absolute must. I would also suggest enabling the following (at a minimum):
If you’re serious about the security of your Nextcloud cloud server, I would suggest enabling each option in the Password Policy section. Yes, it might cause a bit of frustration with your users, but it will certainly add a much-needed boost to the security of your Nextcloud instance.
The caveat
This is a big one, so pay attention. If you already have users on your Nextcloud instance, and you change the password policy configuration, those old user passwords will still work. In other words, the new password policy will only apply to new users. Because of this, you have two choices:
- Make sure to set the password policy as soon as you deploy Nextcloud.
- After setting the password policy, make sure you send word out to current users to manually update their passwords according to the policy.
Here are the steps for users to change their passwords:
- Click the profile image in the upper right corner.
- Click Settings.
- Click Security in the sidebar.
- Under Password (Figure D), type and verify the new password (that conforms to the new policy).
- Click Change Password.
Figure D
The user password change feature.
” data-credit rel=”noopener noreferrer nofollow”> The user password change feature.
Hopefully, once all of your legacy users have changed their passwords, to conform with the new rules, everyone on the system will enjoy a much more protected account on your Nextcloud server.
Cybersecurity Insider Newsletter
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Also see
Image: Jack Wallen
