Option for more secure app passwords

[rugk]

The current app passwords (or "device/app pins") are quite short and only consist of capital letters (the hyphens can be added by any attacker as they are at specific positions), which violates all password best practises and policies (even the one you can set in NextCloud's password policy app). The login password is likely longer and if generated with a password manager also more secure (with a higher entropy).

So could you at least offer an option for more secure passwords (just the way password generators generate them, with all kinds of ASCII characters in it)? Either for the user or at least for the server admin?

[MorrisJobke]

cc @nickvergessen @rullzer

[MorrisJobke]

cc @ChristophWurst

[rullzer]

Yeah I'd like this!

[nickvergessen]

I'd like to avoid this until we have a decent oauth endpoint, so the user doesn't have to type this anymore.

[stffabi]

Wouldn't it be possible at least for the time being to use upper case, lower case characters and digits, and e.g. 5 blocks?

Should be fairly easy to change that here https://github.com/nextcloud/server/blob/master/settings/Controller/AuthSettingsController.php#L166

to e.g.

for ($i = 0; $i < 5; $i++) {
   $groups[] = $this->random->generate(5, ISecureRandom::CHAR_LOWER . ISecureRandom::CHAR_UPPER . ISecureRandom::CHAR_DIGITS);
}

That wouldn't make the device passwords that much harder to type in but would at least increase the entropy of the tokens.

[stffabi]

@nickvergessen would you be interested in a PR for this? One could also add a config option for either old tokens or new token generation.