How to set a password policy for Nextcloud users

Setting a strict password policy on Nextcloud could prevent your user's accounts from getting hacked. Find out how.

How to set a password policy for Nextcloud users Setting a strict password policy on Nextcloud could prevent your user's accounts from getting hacked. Find out how.

Nextcloud is one of the most flexible, user-friendly, and cost-effective on-premises cloud server solutions you'll find. Once it's up and running, you'll discover there's not much this platform can't do. However, there are a few things you should take care of as soon as you have Nextcloud running.

One such task you should immediately handle is the setting of password policies. Fortunately, Nextcloud has this feature built right in, so there's no need to add a third-party application or even bother with a manual configuration.

SEE: Serverless computing: A guide for IT leaders (TechRepublic Premium)

Why do this?

This question shouldn't have to be asked. But on the off-chance you are either unsure or you have to convince someone, it's simple: If left to their own devices, users will opt to go with passwords like password, password123, 12345, etc. That is far from secure and should never be allowed. That's why you want to enable password policies any chance you can.

With that said, I'm going to walk you through the process of enabling and configuring a password policy for Nextcloud. 

What you'll need

The only things you'll need for this process are:

  • A running instance of Nextcloud

  • Credentials for a Nextcloud admin user

How to enable the Password Policy

Log into your Nextcloud instance as an admin user. Click on your profile image in the upper right corner and then click Settings (Figure A).

Figure A

nppa.jpg

The Settings entry in the Nextcloud menu.

In the resulting window, click Security in the left navigation (Figure B).

Figure B

nppb.jpg

The Security entry in the Nextcloud sidebar.

Scroll down to the Password Policy entry (Figure C).

Figure C

nppd.jpg

The Password Policy configuration section.

Make sure that Forbid Common Passwords is enabled--that should be considered an absolute must. I would also suggest enabling the following (at a minimum):

  • Enforce Upper And Lower Case Characters

  • Enforce Numeric Characters

If you're serious about the security of your Nextcloud cloud server, I would suggest enabling each option in the Password Policy section. Yes, it might cause a bit of frustration with your users, but it will certainly add a much-needed boost to the security of your Nextcloud instance. 

The caveat

This is a big one, so pay attention. If you already have users on your Nextcloud instance, and you change the password policy configuration, those old user passwords will still work. In other words, the new password policy will only apply to new users. Because of this, you have two choices:

  1. Make sure to set the password policy as soon as you deploy Nextcloud.
  2. After setting the password policy, make sure you send word out to current users to manually update their passwords according to the policy. 

Here are the steps for users to change their passwords:

  1. Click the profile image in the upper right corner.
  2. Click Settings.
  3. Click Security in the sidebar.
  4. Under Password (Figure D), type and verify the new password (that conforms to the new policy).
  5. Click Change Password.

Figure D

nppf.jpg

The user password change feature.

Hopefully, once all of your legacy users have changed their passwords, to conform with the new rules, everyone on the system will enjoy a much more protected account on your Nextcloud server.

Also see

nextcloudhero.jpg

Image: Jack Wallen