Allow to force password changes after the next UI login

[nickvergessen]

https://help.nextcloud.com/t/force-password-change-at-user-logon/1664/1

I think it's a nice idea and also fit's in the context of this app.

[MorrisJobke]

Moved to 11

[klm46]

Hi there. Sorry for my stupid question. This is available @ Nextcloud 11.0. There is no patch for now, right?
Our data protection commissioner stopped my nextcloud-Installation for going prod. for that reason.

[nickvergessen]

That's odd. But no, this is not implemented yet.

[klm46]

No - this is Germany ;)

[LukasReschke]

Use LDAP login and policies from the LDAP are used.

Also as a company you may consider a Support Subscription from https://nextcloud.com/enterprise. This gives you direct access to Engineers and influence on our roadmap.

[klm46]

This is an option for our company, for sure. I did take note of this a few weeks ago and planed to ask for such an invest after the Cloud is productional.

For LDPA-User it is no Problem. But for Partner Companies we need to create databased Accounts. And the workflow does not have an opportunity to force new database-user to change the PW we created when adding the account.
Again, the premium Subsribtion is in plan - we have much higher costs for less usefull software ;)

[LukasReschke]

This is an option for our company, for sure. I did take note of this a few weeks ago and planed to ask for such an invest after the Cloud is productional.

For LDPA-User it is no Problem. But for Partner Companies we need to create databased Accounts. And the workflow does not have an opportunity to force new database-user to change the PW we created when adding the account.
Again, the premium Subsribtion is in plan - we have much higher costs for less usefull software ;)

Awesome. Reach out and we'd likely be very happy to help with a proof of concept. Just link to this discussion :-)

So the requirement is actually that after registration users have to change their password is that correct? Would it also be an option that if you have created an user a mail with password reset link is send to the user? The user would then have to reset their password there.

Also is there any kind of requirement for changing passwords after X days? That would again be kinda harder to implement and not sure if at the moment desired since it clutters the UI and is not compatible with all backends. (i.e. confusing behaviour)

[klm46]

So the requirement is actually that after registration users have to change their password is that correct? Would it also be an option that if you have created an user a mail with password reset link is send to the user? The user would then have to reset their password there.

This would be an acceptable workaround. Because this would ensure, that no one of us (expecting us admins with database knowledge) knows the PW of the external Partner. No need to force changing PW after X days.

Awesome. Reach out and we'd likely be very happy to help with a proof of concept. Just link to this discussion :-)

I will do this. But we are a relative big Company (about 1000 Employes) and it takes a while since all the processes being past. But I'll come back to you soon with this.

[nbada]

Are thery any news about this feature?
I stumbled about the lack of a feature like this a lot during the last 1 - 2 years.

[elpraga]

Yes, I'm also interested to know if this feature is already available.

[nickvergessen]

I'm not a php programmer, but I think for the nextcloud experts it is not so hard to implement this functions (you can take a look at ownclouds implementation).

Feel free to find someone in https://help.nextcloud.com/c/nextcloud-freelancing/48 to get this feature in.

This offends the community, which is also responsible for your success.

While I agree that the community is responsible for the success of Nextcloud, I don't think this issue is offending someone or the community which (as you said yourself before) should be able to fix the issue. Especially since the NIST changed its recommendation and removed password expiration (ref https://blog.24by7security.com/unpacking-the-nist-password-requirements-in-2019) and now says it's not recommmended to expire passwords.

... otherwise this is a sign for me that Nextcloud is focusing more on larger customers (with support contracts) ...

This pays our salaries, that's just how it is and why you can use Nextcloud for free.

Hello!! Nextcloud!! What are the plans for this features.

See https://github.com/nextcloud/server/blob/master/.github/CONTRIBUTING.md#contributing-to-source-code
The source code is in https://github.com/nextcloud/password_policy, send a pull request https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests yourself or as written above motivate others to do it for you.

[vince2010091]

There are 2 topics
Don't confuse "change at next login" with "password expiration policy"
When you give the user their first password, it is recommended to change it, and force the user to change it - regardless of expiration.

[Shen]

Also as a company you may consider a Support Subscription from https://nextcloud.com/enterprise. This gives you direct access to Engineers and influence on our roadmap.

Is there no one with premium-subscription, who is interested to support/push this security(!)feature?
More than five years now. 😐

[netnut404]

is there any word on being able to force a password change? I know people use resetting your password via email, and while that is a work around that is ok for some it really is a work around making you depend on a external account to be already setup a user properly . Alternatively It would be nice to have nextcloud be the first / only account for the user which then set an easy password that must change at first login with a good password policy it will allow you to put all other accounts (including email) in a password database thus keeping all accounts secured

[RuudschMaHinda]

Just bumping in 2023 because there was an incident with one leaked password here.

[funktionierbar]

Just bumping in 2023 because there was an incident with one leaked password here.

Same here, would be glad to have this feature!

[Salzorian]

I appreciate the work of the devs.
Please don't get me wrong.
This should be a default security feature.

thx in advanced.