External storage (files_external) app save passwords of all users to database table “oc_credentials” even when “Log-in credentials, save in database” option is not used.
It’s a security risk that allow password extraction of all users.
A local system admin that has access to database and nextcloud config file could decrypt any user password.
Don’t save user password to table “oc_credentials” unless user has a mount with “Log-in credentials, save in database” option.
Passwords of all users is saved to table “oc_credentials” when files_external app is enabled.
Nextcloud 18.0.4 + External storage 1.9.0
Nextcloud 17.0.5 + External storage 1.8.0
A local system admin could recover any user password.