A strong password policy in ownCloud ensures all users do their part in thwarting password-based cyber attacks. These features aren’t included by default. However, there is a free add-on app for enforcing a strong password policy in ownCloud. It won’t resolve all ownCloud security issues, but it is a good start.
Install the ownCloud Password Policy app
The following steps cover how to install the ownCloud app from within the ownCloud dashboard as an administrator.
- Log into ownCloud and install the Password Policy app.
- From the settings page, under Admin, select Security.
- Scroll down to the Password and public link expiration policies section. Check any boxes and make needed changes for what you wish to enforce.
- Select Save at the bottom.
Configure a Password Policy in ownCloud
We recommend you enable all password policy features. Below we’ll share some best practices and other things to consider regarding password management and complexity.
For user accounts and public links:
Minimum characters – at least 12-15 characters of preferably an uncommon passphrase of three or more random words. Those are generally easier to remember than a combination of 15 alphanumeric characters.
Minimum lowercase letters – at least 2. Minimum letter requirements prevent simple passwords like “123456.”
Minimum uppercase letters – also at least 2.
Minimum numbers – between 2-4 to ensure no one uses basic passwords (e.g. “password”).
Minimum special characters – 2 should suffice.
Restrict the allowed special characters for passwords if you encounter issues related to integration conflicts and database queries.
User password policies
Last passwords should not be used – at least within 5 updates. Ten or more will surely discourage users from trying to bypass this security method.
Days until user password expires – should be a tolerable medium based on how often the average user logs into ownCloud, the sensitivity of data stored, and how often your ownCloud server is targeted by cyber attacks. The average password duration is 60-90 days. You might want to shorten the time frame if the average user logs into the cloud-based storage app more than a few times a week. However, some cybersecurity experts advise against short password expiration as it may inadvertently encourage more bad behavior (e.g. writing passwords on sticky notes or simply adding a “1” to the end of the last password).
After enabling the “days until user password expires” policy setting, you must log into SSH, navigate to your ownCloud root directory, and set an initial password change date for existing users with the
occ user:expire-password terminal command.
Days before password expires, users will receive a reminder notification – may require some trial and error. Thirty days is ample warning but early enough for users to forget. Try 10 or more so users can do this at the start or end of the work week.
Force users to change their password on first login if you’re sending the password to others with an insecure method (email, text message, etc.).
Public link expiration policies
Days maximum until link expires if password is set – start between 1-7 days. This limit can be set higher since it is password protected.
Days maximum until link expires if password is not set – start with under 3 days since there is no password protection.
For vetted security guidelines on creating a password policy in ownCloud, read through National Institute of Standards and Technology (NIST) Special Publication 800-63B. For related cybersecurity best practices, check out Verizon’s Data Breach Investigation Report (DBIR).
Remember, a strong password policy in ownCloud is an important part of data security but not the entire foundation. Integrate two-factor authentication (TFA) for another buffer from password attacks. Also, you should advise users to use a free, reputable password manager application such as Bitwarden or KeePass.
Learn more from our ownCloud Education Channel.