Hello,
Since yesterday I get 2 notifications:
Insecure secrets in core_samba
The add-on core_samba uses secrets which are detected as not secure, see https://www.home-assistant.io/more-info/pwned-passwords for more information.
Insecure secrets in xxxxxxxx_nodered
The add-on xxxxxxxx_nodered uses secrets which are detected as not secure, see https://www.home-assistant.io/more-info/pwned-passwords for more information.
What should I do?
Change the password you currently have, in both add-ons, to something else (preferably to something more complex).
For your consideration:
interestingly I got the same notification, checking my passwords I used in those addons showed that they had not been pwned. After another restart the notification did not show up again. I think it was a quirk with the latest update for me.
It’s a new feature in Supervisor 2021.3.0. It compares the passwords you have with an online list of known passwords (known to have been “pwned” or harvested).
From what I see in Supervisor’s log, it seems to perform this check on startup and at 1-hour intervals.
21-03-04 15:50:43 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.PWNED/ContextType.ADDON
It connects to the following:
api.pwnedpasswords.com
I black-listed that address on Pihole in order to silence this feature.