How do I change my password for Node-Red?

I have Node Red installed using the Home Assistant add-on store.
Is there a way to change my admin password?

Now a password change is required because the notification in Home Assistant says my password is pwned. There is a warning from nodered saying:
Note : Once you set this property, do not change it - doing so will prevent Node-RED from being able to decrypt your existing credentials and they will be lost.

Damned if you do, and slightly less damned if you dont.

I am going to go out on a limb and say that because this gets encrypted; you would need to re-create your instance from scratch - but don’t quote this as the official answer.

Now; I wonder if it is possible to back-up your flows first and then re-import them back in once you re-create your instance.

Has anyone changed the password and found a way to restore all the node-red flows? I have a lot of them and I would rather keep being nagged about the password than losing all of my automations.

I didn’t want to risk losing all of my flows so I made a flow to remove the notification.

[{"id":"e595727a.34abd","type":"server-events","z":"16dcca58.77df96","name":"Catch it","server":"f7b623d4.ed978","event_type":"call_service","exposeToHomeAssistant":false,"haConfig":[{"property":"name","value":""},{"property":"icon","value":""}],"waitForRunning":true,"x":110,"y":200,"wires":[["40634ee0.88cf3"]]},{"id":"40634ee0.88cf3","type":"switch","z":"16dcca58.77df96","name":"","property":"payload.event.domain","propertyType":"msg","rules":[{"t":"eq","v":"persistent_notification","vt":"str"},{"t":"else"}],"checkall":"true","repair":false,"outputs":2,"x":230,"y":200,"wires":[["6bc9b9c4.043688"],[]]},{"id":"6bc9b9c4.043688","type":"switch","z":"16dcca58.77df96","name":"","property":"payload.event.service","propertyType":"msg","rules":[{"t":"eq","v":"create","vt":"str"},{"t":"else"}],"checkall":"true","repair":false,"outputs":2,"x":350,"y":200,"wires":[["926f846.0f0e278"],[]]},{"id":"926f846.0f0e278","type":"switch","z":"16dcca58.77df96","name":"","property":"payload.event.service_data.notification_id","propertyType":"msg","rules":[{"t":"cont","v":"supervisor_issue_pwned","vt":"str"},{"t":"else"}],"checkall":"true","repair":false,"outputs":2,"x":470,"y":200,"wires":[["b7c909aa.9529a8"],[]]},{"id":"b7c909aa.9529a8","type":"api-call-service","z":"16dcca58.77df96","name":"Whack it","server":"f7b623d4.ed978","version":1,"debugenabled":false,"service_domain":"persistent_notification","service":"dismiss","entityId":"","data":"{\"notification_id\":\"{{payload.event.service_data.notification_id}}\"}","dataType":"json","mergecontext":"","output_location":"","output_location_type":"none","mustacheAltTags":false,"x":600,"y":200,"wires":[[]]},{"id":"f7b623d4.ed978","type":"server","name":"Home Assistant","legacy":false,"addon":true,"rejectUnauthorizedCerts":true,"ha_boolean":"y|yes|true|on|home|open","connectionDelay":true,"cacheJson":true}]

Look in your backup for flows.json. This should be all of your flows. I am running HassOS and this file is in my config folder/node-red. It appears to me that every different installation has a different file structure, so you may have to search for it.

I don’t know which is worse- that I get the daily notification that my Node-Red password sucks or that I have no option to not be notified. The end result is that I now ignore ALL notifications.

1 Like

After 3 painful days of playing whack-a-mole trying to change my passwords and reprogram all my devices to use them, I think it is impossible without some serious skills. I did not even get around to trying to change my NodeRed password, lol, so many wasted hours and so much pain (SSH, MQTT, HA, ESPhome, Google Assistant Voice, Tasmota…). In the end I am not sure it is even possible to change the passwords and get my home working again. I think it would require starting over totally, with a secure password.

Here is the way to disable the notifications according to a moderator here:

Changing the node-red credential secret to something else wouldn’t wipe out your nodes. It would mean that for any node where you use other credentials for something, you would need to re-enter them. The “credential secret” protects that information, not anything else.