So the latest version of Home Assistant forces me to send my (apparently hashed or so) to a third party. I have no way to opting it out, so I’ll probably do it the networking way. For now my HA box is isolated from the network. Pitty as some services are cloud.
Found the Insecure secrets in core_samba thread. And apparently, some devs think it shouldn’t be up to me to decide what information is being sent from my home. I don’t see this being resolved in the code at least in a foreseeable future.
Anyone yet snooped around what ports/ip/domains to block?
This is something a lot of apps and websites do now.
Check your password against a database of known bad ones. Doesn’t seem to be any opting out from any of them
To be precise, the password-checking feature is part of the latest version of Supervisor (2031.3.0). I’m still running Home Assistant 2021.2.3 but have received warnings for two Add-Ons.
I changed the password for Samba. However, changing the password for Node-Red has implications:
Note: Once you set this property, do not change it - doing so will prevent Node-RED from being able to decrypt your existing credentials and they will be lost.
From what I can see in Supervisor’s log, it performs the password-checking feature on startup and at 1-hour intervals. I don’t want to be reminded of the Node-Red password issue so I silenced it by blocking access to api.pwnedpasswords.com via Pihole.
An alternative is to create an automation that deletes the persistent notification reporting the password issue (examples have been posted elsewhere).
Why?
The API only has a record of the passwords that has been leaked. Not yours.
And as the description says, HA sends five characters to the API and gets a list of all passwords that match these five characters, then HA sees if your password is on this list.
And even if your whole hashed password got leaked, it’s still hashed.
It’s “useless”, that is the whole point of hashed passwords.
There’s about a zillion threads on forums what’s considered good and bad security. I’m sure you can find one of them and discuss it there. I think your thought of consent as some sort of guarantee, is enough for a debate.
Meanwhile, from what I know is that my IP is being continuously sent with the “password check”.
I believe you don’t understand what you are discussing.
Let me show you, here is a sha hasher: SHA256 Online (emn178.github.io)
The hash of a is: ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
The first five characters are sent: ca978
Any hash that matches these five first characters are returned to HA and HA will determine if your password is on the list or not.
Just to be clear, here is the hash of aa 961b6dd3ede3cb8ecbaacbd68de040cd78eb2ed5889130cceb4c49268ea4d506 ab: fb8e20fc2e4c3f248c60c39bd652f3c1347298bb977b8b4d5903b85055620603
and as you can see they do not even resemble each other.
Even if HA would send the complete hash of a to the server then they can’t “un-hash” the password, that is the thing about hashes. You can’t reverse it to find out what the password actually is.
It’s like if I say “20” to you and you should guess the mathematics that created the result 20.
You’re missing the point. People choose HA because they want to own their own data and send as little as possible to the outside. It’s not like this is a feature of every major linux distro and there is no way of opting out.
When it comes to your technical assessment, start a separate thread about how secure it is.
You believed you would be “screwed” if the open API of pwnedpasswords.com got jacked (not sure how to “jack” a open API).
I find my comments to be perfect fit to your question.
According to others at least, this is a fairly common in other apps to check passwords against known breaches.
I don’t know if that is true, but I know google has it in chrome also.
