I wanted to access my HA site from a new PC. But I forgot my username and password.
I googled and found: I'm Locked Out! - Home Assistant which describes a way to deal with that, and it starts with: “If you are still logged in to the web interface with your user, then you are in luck.”
And then describes a convoluted way of creating (and later deleting) a new user … and all that, to gain access from another PC.
Great.
However: IF I’m already logged in, and IF there’s a way (convoluted as it is) to get to see (well, set) my credentials, why not simply provide a little button or something that SHOWS me those credentials? (Without the need to create and delete a new user, and having to change things).
Sounds like an extremely simple thing to do, with virtually zero security issues!
I don’t know about HA, but most modern systems do not store passwords any more (it is considered a security risk), but store a hash of your password, preferably salted. When you login, your password is salted and hashed and compared to the stored hashed.
So showing these credentials would still not show your password.
Ah yes, very true!
So, let me change my request to the usual “Send me an email to reset my password”.
H-A HAS a page where you can reset your password. but you have to enter your OLD password … which is, of course, the one I forgot! LOL
(And, since I’m already signed in: why SHOULD I enter that password again?)
I think the option to e-mail a new, temporary password is a great idea.
Since we access HA through the web-based UI or the app, most of us probably never type the password. That makes it easy to forget. And when do you need it most? When you’re not home and may not have whatever password manager you typically use handy.
The “forgot password” link on the logon page is pretty much the industry standard now. I’m actually surprised HA doesn’t have it.
Again, security industry standard. If someone could access that computer, they could change the password on you and gain access.
Yes, ‘send email to reset password’ is also an industry standard. But, do you have an SMTP sender setup in HA? That may end up being more convoluted than quickly setting another user and resetting yourself.
“If someone could access that computer, they could change the password on you and gain access.”
But if they can access my computer while I’m logged in, then a) they already gained access, and b) they already can change my password, by creating a new user!
When it comes to security, I think a user (in a personal PC environment) should at least have SOME say in what is allowed (making things easier) and what not! (Are you listening Microsoft?).
So ideally, I should be able to configure the level of security (for instance: do I need the old password to change a password, even when I’m already logged in?)
The problem with the quest for security is that you can make a system SO secure, that you can barely use it! That may be necessary for computers in a business environment, but for home use, I should be allowed to ease up things a bit. (Like in Linux).
True. So, in a security discussion, they should really add a password requirement for the logged in user to do any other user changes
Yes, it is HOME Assistant. But, that does not me it will always be used in a ‘home’ type of environment. I can certainly see them get a LOT more flack if someone can change the password without entering the current password than this situation.
