That’s a bold statement. We, as users, honestly have no idea if it will come to Core or not as the basic premise is scanning secrets.yaml. The only difference between Core and Supervisor in this instance is that it is looping through installed add-ons first. If the devs think it’s a good security feature, it could easily be pushed into Core through a simple PR.
1 Like
If it was coming to core it would have been in core to start with.
Again, that’s a bold statement. Like I said, if the devs feel like this is a good feature, it’s one they could easily port into Core.
1 Like
I wonder how you came to 1"something" (I’m not familiar with KB unit) per password for utf8. considering most passwords (especially weak ones which obviously are majority in the db) consist of ascii characters mostly, their length in bytes should be the same (or very similar) regardless charset.
I would prefer to throttle the polling frequency. I’ve had success with Home Assistant Supervised on Debian. I’ve identified the code within Supervisor responsible for polling version.home-assistant.io and have increased the interval (i.e. decreased the polling frequency).
However, I also have an RPi3 running an instance of Home Assistant OS and it has an additional twist. Although it also runs my throttled Supervisor code, it still makes connection requests to version.home-assistant.io every 5 minutes. This behavior doesn’t exist in the instance of Home Assistant Supervised on Debian. The difference leads me to believe the underlying operating system in Home Assistant OS is making the repeated 5-minute requests. What exactly is doing it, I don’t know yet.
FWIW, it’s also possible to modify Supervisor’s code to eliminate the password-check feature but it’s less convenient than simply blocking api.pwnedpasswords.com.
EDIT
My hunch was correct. Here’s what is responsible for polling every 5 minutes:
According to the documentation for Network Manager, the default polling frequency is 300 seconds (5 minutes).
http://manpages.ubuntu.com/manpages/bionic/man5/NetworkManager.conf.5.html
I really don’t need it to check Internet connectivity so frequently so that will be throttled as well.
4 Likes
Seriously, that is worth the “Holmes Detective of the Week Award” if we even have one !
1 Like
It’s so funny the bloodletting in here over an issue for most people that would be solved just by switching to a secure password. Yeah it’s a nuisance but this whole discussion is deja vu when they removed the simple API password for HA itself and forced local users to use a username and password. The screaming and arguments were near identical.
Anyway, pissing in the wind can be entertaining to watch and here’s me all outa popcorn…
5 Likes
You should have a popcorn delivery just prior the the new month release.
I have to admit, the level of “up roar” seems to reach a higher and higher crescendo as time passes …
Or is that just the consequences of Covid 19 lockdown ?
1 Like
It’s a consequence of HA turning against its own ideals. A home automation software that puts “privacy first” (quote HA homepage) and then proceeds to send personable identifiable information to a third party without user consent. Yeah, what could possibly go wrong.
It boggles my mind how anyone at the HA dev team could have thought this to be a good idea. If someone feels they need to be babysit by HA, sure by all means, turn that ‘feature’ on. But not providing an opt-out is, frankly, unbelievable. The uproar is well deserved.
6 Likes
Could be… I wouldn’t be surprised.
1 Like
And the point is they DON’T send any personally identifiable information anywhere… what they do send was clearly detailed a few posts up…
1 Like
Yep, exactly the reason a password checking mechanism has been implemented - because they wish to produce a product that protects you, your HA instance and your home network. With the amount of newcomers that are continually asking for help with rather simple and somewhat trivial issues, it’s no wonder they are trying to protect all-comers.
Can you provide me and example of the human readable data that is sent, and could therefore be intercepted via a MitM attack? I’d be interested to see what evidence that your statement is correct.
Perhaps you were asleep recently when security vulnerabilities were identified within HA, and then rather quickly patched with a number of updates. One would assume that introducing things like password checks is a security mechanism that continues on with ensuring HA is kept as secure as possible.
You are welcome to submit a feature request, perhaps this will be implemented if you do so and it has enough support. Having been around for a while, I have seen many changes introduced and then after community feedback, be adjusted or removed entirely. Just blinding bitching doesn’t help progress your thoughts or ideas around here, I’ve learnt that from personal experience.
1 Like
Does HA also go through my HA managed grocery shopping list to prevent me from buying unhealthy food ? It is not HA’s job to protect me from my own stupidity. If password security is deemed to be an issue, then such a feature can be added with an opt-out.
First bytes of the password hash along with IP (implicit, includes ISP and geolocation) and timestamp (implicit). This is more than enough to start building a user profile over time by a (potentially insecure) third party. You can build user profiles with much less than that. It is also a possibility for the third party to specifically build a list of IPs with a HA instance running behind them.
Oh come on. This is absolutely unrelated and you know that.
2 Likes
So it’s human readable, or hashed and abbreviated? If you are so concerned about your privacy, you would already be using a network wide VPN, so submitting IP info won’t be of concern.
It’s not, it’s linked to security and making sure your instance is as protected as it can be.
Good job 
It doesn’t matter if it’s human readable or not. It’s a binary blob that can be used to identify your instance by a machine, with more or less accuracy depending on a number of factors. Ironically, the more unique your password is, the easier it is to build a profile of you. It doesn’t matter if you use a VPN or not.
From a technical point of view, this makes 0 sense. And you can’t argue emotional statements 
1 Like
The whole argument is emotional lol
1 Like
Can’t argue with that.
I mean I’m not even affected personally, I use HA core only. And if I was, first thing I’d do is remove this nonsense from the Supervisor source. But still, it’s an important thing to discuss, regardless on what side you stand on.
2 Likes
Kilobyte? Just like megabyte…
UTF-8 has four bits per character, I assumed a hashed password would be 256 characters.
256x4 bits = 1 KB (kilobyte).
What??
So you mean just because I write an A, that is an ANCI character, and when I write Å that is UTF-8?
That is not how it works.
You set the character set for the document, not each character.
And we are talking the hashed passwords, not the unhashed.
The hashed passwords are UTF-8 (it could be unicode also, but I doubt it).
@Hellis81, no offense, but you don’t understand how UTF-8 works at all.
UTF-8 is a variable length encoding. All ASCII chars up to char code 127 are encoded as 1 byte in UTF-8. So an english text containing only ASCII chars would be absolutely identical in ASCII and in UTF-8. If you write Å, then the UTF-8 encoding kicks in, because the Unicode code point for Å is higher than 127. In the case of Å, it is encoded as two bytes in UTF-8. Most characters of languages other than Asian ones are encoded as two bytes. Asian scripts can use three bytes and sometimes up to four bytes in UTF-8. Technically, it can encode even higher code points as 5 or 6 byte sequences. This changes per character, not per document.
Of course this is all irrelevant in this current discussion. But I just had to clear this complete misconception up.
2 Likes
I did not know, or perhaps I did and forgot the variable length.
That is correct. That will skew the size a lot.