Block HA from sending out passwords to third party

I got the: The add-on uses secrets which are detected as not secure, see for more information.

So the latest version of Home Assistant forces me to send my (apparently hashed or so) to a third party. I have no way to opting it out, so I’ll probably do it the networking way. For now my HA box is isolated from the network. Pitty as some services are cloud.

Found the Insecure secrets in core_samba thread. And apparently, some devs think it shouldn’t be up to me to decide what information is being sent from my home. I don’t see this being resolved in the code at least in a foreseeable future.

Anyone yet snooped around what ports/ip/domains to block?


This is something a lot of apps and websites do now.
Check your password against a database of known bad ones. Doesn’t seem to be any opting out from any of them

Good for them

1 Like

You could always fork ha?

Basically all password managers have opt-out on this.

Fork is a troublesome way to go. I’d prefer just to block it outside.

1 Like

A hashed password generally consists of at least 128 characters.
HA sends the first 5 (was it?).

The amount of your hashed password that is “leaked” is insignificant.

But i still believe there should be an opt out.

Could you expand on this?

What do you mean?

Should be descriptive.

I’m sure many consider this great practice, technical sound solution, etc etc,…

To be precise, the password-checking feature is part of the latest version of Supervisor (2031.3.0). I’m still running Home Assistant 2021.2.3 but have received warnings for two Add-Ons.

I changed the password for Samba. However, changing the password for Node-Red has implications:

Note: Once you set this property, do not change it - doing so will prevent Node-RED from being able to decrypt your existing credentials and they will be lost.

From what I can see in Supervisor’s log, it performs the password-checking feature on startup and at 1-hour intervals. I don’t want to be reminded of the Node-Red password issue so I silenced it by blocking access to via Pihole.

An alternative is to create an automation that deletes the persistent notification reporting the password issue (examples have been posted elsewhere).


Smooth! Sounds like a good path


Genius. Thanks very much. Now I can get back to work and stop refreshing HA to dismiss that notification.

Good to know.

I can rest easy knowing that I can just ignore this from now on. :laughing:

Unless they start targeting non-supervised versions soon as well…

I wonder how this was done. I guess my IP has been exposed already and if the API gets jacked, we’re screwed?

1 Like

The API only has a record of the passwords that has been leaked. Not yours.
And as the description says, HA sends five characters to the API and gets a list of all passwords that match these five characters, then HA sees if your password is on this list.

And even if your whole hashed password got leaked, it’s still hashed.
It’s “useless”, that is the whole point of hashed passwords.

The API can’t see what IP the request came from?

1 Like

If they store the IP then it needs your consent.

But either way, what is the issue with that? They still don’t have your password, only five characters of the hash.
And no username.

There’s about a zillion threads on forums what’s considered good and bad security. I’m sure you can find one of them and discuss it there. I think your thought of consent as some sort of guarantee, is enough for a debate.

Meanwhile, from what I know is that my IP is being continuously sent with the “password check”.

1 Like

I believe you don’t understand what you are discussing.

Let me show you, here is a sha hasher:
SHA256 Online (
The hash of a is:

The first five characters are sent:

Any hash that matches these five first characters are returned to HA and HA will determine if your password is on the list or not.

Just to be clear, here is the hash of aa

and as you can see they do not even resemble each other.

Even if HA would send the complete hash of a to the server then they can’t “un-hash” the password, that is the thing about hashes. You can’t reverse it to find out what the password actually is.

It’s like if I say “20” to you and you should guess the mathematics that created the result 20.


You’re missing the point. People choose HA because they want to own their own data and send as little as possible to the outside. It’s not like this is a feature of every major linux distro and there is no way of opting out.

When it comes to your technical assessment, start a separate thread about how secure it is.


That was not your point, let me remind you:

You believed you would be “screwed” if the open API of got jacked (not sure how to “jack” a open API).
I find my comments to be perfect fit to your question.

According to others at least, this is a fairly common in other apps to check passwords against known breaches.
I don’t know if that is true, but I know google has it in chrome also.