I don’t know what has to happen to allow Chrome and Firefox to figure out that there’s credential fields on the page in order to suggest to save a password, but it’s killing me that HomeAssistant is just about the only website that I use regularly that I can’t have it auto-populated with my credentials.
I use chrome and my logins are transparent for both local and remote.
I also use two factor authentication though, maybe that’s different ?
Not sure but at least I can populate them manually with my password manager addon now.
I just use Chrome as my password manager and for whatever reason, you can’t manually add credentials to it. I’m dependant on it asking me to save them. And if it doesn’t detect the right fields on the page, it doesn’t ask.
I’m using 1password. By ‘manually’ I mean I can right click the page and select the credentials to auto-fill.
Not sure if I had to save the credentials to the manager manually initially. I guess I did as previous to recent updates it would not even auto-fill using the above method.
I’m also having this problem, I’ve been using Home Assistant for over 18 months and I always have to manually copy paste my password into the login field after closing and re-opening my browser (my browser is configured to auto clear cookies on close)
And it’s why I’m here today. Anytime I need to log in via a new device I need to create a new account as I don’t recall the password I used initially and there is no option to save.
I did a full reinstall a ways back and signed into it again using the one account but again, the iOS app, chrome on iOS, chrome in OSX on MBP, Firefox on Linux and app and website on the iPad, but now I want to sign in on a new system and again I can’t locate the password anywhere. It is not saved in any store on any device.
I’m still logged in on each of the other devices, but I can’t change the current password without knowing the current password.
I can’t help but think this is by design and intentional.
Last time (before the reinstall) I think I needed to create a new admin account and move everything over. I thought I would remember it this time but sadly I have forgotten. I’m thinking I should just use “password” make it as insecure as possible. Lol. Not really.
But if anyone knows what the best way to maintain user passwords for home assistant, I’d be much appreciative.
Get yourself a password manager. Any password manager.
but I use google chrome that generally stores my passwords quite well, ios and osx have the keychain management that it does, do I really need another third party independent system that I need to copy / paste into and out of, how’s that going to fare with iOS and synchronicity between all my devices and computers? I really don’t want to add another point of failure
Well obviously that solution is not working for you. It depends what app you go for but 1password has extensions or well integrated apps for all those platforms that share a common synchronised database. I’m sure the others do too but as I don’t use them I can’t comment.
Rather than continually creating new accounts you should reset your auth, create new owner, and user accounts and remember the passwords!
I would consider this a Google password manager problem if I had this problem with literally any other website. As far as I’m concerned, the issue is with the Home Assistant login screen.
@SteveDinn I agree, it’s home assistant, not google chrome, not firefox, not apple ios or mac osx. I do not have this issue with any other website or app.
It even affects the app in ios, so it leads one to conclude it has been purposely included by design, it’s just counter intuitive to “the norm”. I have banking and stock market apps that my systems offer to remember passwords, but my home automation server… it has deemed password management too sensitive to allowed to be saved, at least that’s how I’m seeing it.
@tom_l There are certain levels of trust and copy and pasting passwords from one app to another and having the clipboard buffer available to any other service that happens to be running in the background is a security risk. I do in fact take security to the next level. The levels of trust I have are those employed by the major browsers and my operating systems, however, the clipboard buffer is not secure. And remembering 300+ individual and unique passwords is just not an option. The fact you suggest to just “remember it” leads me to believe you don’t have any short term memory problems AND you use a limited set of passwords AND/OR you possibly commit some other minor security infraction I do attempt to remember them as far as possible, but often that does not happen and it appears that home assistant is forcing users to make a password that is explicitly memorable (security risk #1) and/or record it somewhere and copy and paste it in (security risk #2)
Out of curiosity, what password manager do you use and how does it integrate with Home Assistant? Is it able to insert a password into password field of a website and by what secure mechanism does it do that? If it is using some form of encryption between it and the browser I would seriously consider it, but that also is dependant on the synchronisity of it between my systems and devices. Something I do trust chrome to take care of, and not just any third party app. As mentioned, I am happy to take recommendations. In the meantime, I would much prefer home assistant allow my devices to store the password in the secure vaults offered by the underlying operating systems and not enforce people to adopt less secure options.
Nope, just an issue with browsers/password managers apparently.
Password managers will need to update their extensions to work with ShadowDOM.
It was covered as an issue in the Month of WTH:
I’m going to add this here for the moment and come back and follow this up later, if someone else wants to have a look at it in the meantime and investigate, all well and good. I have a busy schedule today but my brain really wants to continue looking into this now (and I normally would, however I do have some urgent stuff that needs to get done YESTERDAY! (story of my life LOL))
I figured I would check out the login as you suggested and on the way got distracted by the issues and thought I would check closed issues:
Apparently this has been a problem before and it was possibly fixed (or not).
I’ll come back to investigate later
edit; damn @Silicon_Avatar, we’re on the same page (now), ok, I wasn’t aware of that, I will look into those references when I get back… except to say, are you saying the chrome and ios inbuilt password managers are the things at fault and they (apple and google) need to fix their code?? (seriously have to run, I will revisit, thanks for your links)
Well I wouldnt go as far to say that I’M saying it or agree with it lol, but it’s the opinion of Balloob.
In that github issue balloob linked to a thread over at 1Password where it was stated that 1Password (and most other password managers I assume) use
document.querySelectorAll to handle the password fields.
HomeAssistant uses Polymer as the backend to it’s GUI, which uses ShadowDOM but breaks
querySelectorAll. From what I gather this is “better” as it allows more encapsulation and less ability for other applications that can read the page (like password mangers) to dig around in the fields of websites(?).
Evidently support for ShadowDOM was added to 1Password at some point, so the “official” response is now:
If 1password can do it, so can other password managers. I suggest people open bug reports that Shadow DOM is not supported. We are not going to rewrite our auth flow.
Though support for it from 1Password is also very limited, and only works with their “companion extension”.
All of this is just what I gathered from the github issue and the links posted there, I don’t consider myself qualified enough to understand it really.
FYI, further discussion on this topic was continued here.
It is if you use a secure desktop for the application.
I have already mentioned that.
So let me get this, 1password is the only one that works. The most commonly used in google chrome does not work (I checked). HA development just chooses to give everybody NOT using 1password a crappy experience and is not willing to change that?
Pretty short sighted, if you ask me. I use Enpass and it does not work either. Now I can ask Enpass to change. But the people who are using Google Chrome password manager can not, so they are just abandoned by HA? Wouldn’t it be more user friendly to provide with an option to use shadowDOM or not use it (only for the auth).
I also use the Google Chrome password manager. That would be nice to support it!
If anyone wants a workaround, it’s possible to edit the page to add a password field so that chrome detects a password. Then it can be saved and next time, without the edit you can use the saved password.
Here are some instructions: How can I manually add a password to Chrome password manager? - Super User