Upgrading Nextcloud 13 -> 14 (on Ubuntu 18.04) permanently locks you out if "Password is among the 1,000,000 most common ones"

[holta]

Steps to reproduce

1. Upgrade Nextcloud 13.0.6 to Nextcloud 14.0.0 on a Ubuntu 18.04 machine, with a "weak" password that worked fine with Nextcloud 13.0.6 (prior to the upgrade).
2. Try to log in to Nextcloud's web interface.

Expected behaviour

Nextcloud should not unrecoverably lock you out of your files and system.

(Or it should let you change your password at the very minimum!)

Actual behaviour

Nextcloud prevents you from logging in, with this small message in the center of the screen:

Error: Password is among the 1,000,000 most common ones. Please make it unique.

But you cannot log in to change your password!

(Nor should you have to, if using Nextcloud in an offline or pre-production environment, where a "weak" password is an intentional choice in training environments.)

Server configuration

Operating system:
Ubuntu 18.04 Server or Desktop (same exact problem occurs).

Thia same problem does NOT occur on Ubuntu 16.04 or on the Raspbian OS on Raspberry Pi(!)

Web server:
Apache

Database:
MySQL

PHP version:
7.2.7-0ubuntu0.18.04.2

Nextcloud version: (see Nextcloud admin page)
14.0.0

Updated from an older Nextcloud/ownCloud or fresh install:
Updated from 13.0.6

Where did you install Nextcloud from:
https://download.nextcloud.com/server/releases/nextcloud-14.0.0.tar.bz2

Signing status:
(Cannot log into Nextcloud)

List of activated apps:
sudo -u www-data php occ app:list returns...

Enabled:

• accessibility: 1.0.1
• activity: 2.7.0
• cloud_federation_api: 0.0.1
• comments: 1.4.0
• dav: 1.6.0
• federatedfilesharing: 1.4.0
• federation: 1.4.0
• files: 1.9.0
• files_pdfviewer: 1.3.2
• files_sharing: 1.6.2
• files_texteditor: 2.6.0
• files_trashbin: 1.4.1
• files_versions: 1.7.1
• files_videoplayer: 1.3.0
• firstrunwizard: 2.3.0
• gallery: 18.1.0
• logreader: 2.0.0
• lookup_server_connector: 1.2.0
• nextcloud_announcements: 1.3.0
• notifications: 2.2.1
• oauth2: 1.2.1
• password_policy: 1.4.0
• provisioning_api: 1.4.0
• serverinfo: 1.4.0
• sharebymail: 1.4.0
• support: 1.0.0
• survey_client: 1.2.0
• systemtags: 1.4.0
• theming: 1.5.0
• twofactor_backupcodes: 1.3.1
• updatenotification: 1.4.1
• workflowengine: 1.4.0
  Disabled:
• admin_audit
• encryption
• files_external
• user_external
• user_ldap

Nextcloud configuration:
sudo -u www-data php occ config:list system returns...

{
"system": {
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"localhost",
"*"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"dbtype": "mysql",
"version": "14.0.0.19",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"instanceid": "REMOVED SENSITIVE VALUE"
}
}

Are you using external storage, if yes which one: local/smb/sftp/...
No.

Are you using encryption: yes/no
Not relevant.

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
No.

LDAP configuration (delete this part if not used)

sudo -u www-data php occ ldap:show-config returns...

There are no commands defined in the "ldap" namespace.

Client configuration

Browser:
Firefox 62

Operating system:
Diverse

Logs

Web server error log

Nextcloud log (data/nextcloud.log)

Browser log

[nextcloud-bot]

GitMate.io thinks possibly related issues are #4908 (Problem upgrading NextCloud), #9911 (Nextcloud upgrade to 13.0.4 Failed), #10208 (Testing Nextcloud 14.), #10517 (Upgrade to Nextcloud 14 beta 2 fails), and #9827 (Upgrade Nextcloud 13.0.2 -> 13.0.4 --> "No apps found for your version").

[holta]

CLARIF: if Nextcloud's MySQL database is dropped and Nextcloud 14 fully removed from the Ubuntu 18.04 server, a clean/fresh install of Nextcloud 14 DOES work with "weak" passwords, as we (among others) require.

RECAP: Nextcloud 14 is highly inconsistent, as to when it tries [?] to enforce password security [and tragically fails on both Ubuntu 18.04 OS's — Server-class and Desktop-class].

[z3ntu]

I am still logged in from before the upgrade and when trying to change the password the POST to https://MYURL/index.php/settings/personal/changepassword results in a 503 with "Password is among the 1,000,000 most common ones. Please make it unique."

edit: after turning off option "Forbid common passwords" in Administration -> Security -> Password policy (it actually was so nice to accept my password there) I could finally change my password (the new password is auto-generated and 30 characters long so it definitely isn't one of the most common ones).

[macmeck]

So what to do if you already logged off?

[holta]

So what to do if you already logged off?

Exactly.

We remain (permanently) locked out of Nextcloud 14 on Ubuntu 18.04 :-(

[kesselb]

So what to do if you already logged off?

Try to disable password_policy app php occ app:disable password_policy or "forbid common passwords" php occ config:app:set password_policy enforceNonCommonPassword --value=0

[macmeck]

"forbid common passwords" php occ config:app:set passw^Cd_policy enforceNonCommonPassword --value=0

There is a small typo in here. This should be

php occ config:app:set password_policy enforceNonCommonPassword --value=0

but works fine...

[holta]

FYI upgrading to Nextcloud 14.0.1 permanently locks you (Nextcloud administrator) out too. As before, the user interface gives no obvious way to recover your Nextcloud installation, except for this dead-end message:

Error: Password is among the 1,000,000 most common ones. Please make it unique.

(As before with Nextcloud 14.0.0, this happens on Ubuntu 18.04 — but does not happen on other OS's like Debian, Raspbian, etc.)

[ChristophWurst]

Ref #11234 for another instance that is affected.