Insecure secrets in core_samba

Makis · March 3, 2021, 7:49pm

Hi all
today I got the 2 following messages in notifications.
What they actually mean and how can I fix them?

Insecure secrets in core_samba
The add-on core_samba uses secrets which are detected as not secure, see https://www.home-assistant.io/more-info/pwned-passwords for more information.

7 minutes ago
Insecure secrets in core_ssh
The add-on core_ssh uses secrets which are detected as not secure, see https://www.home-assistant.io/more-info/pwned-passwords for more information.

7 minutes ago

Burningstone · March 3, 2021, 7:54pm

This means that the passwords you use for the Samba add-on is weak and on the pwned list.

db1964 · March 4, 2021, 10:44am

Sure , but if your SMB ports are closed on your firewall , why is that important ?

CaptTom · March 4, 2021, 2:47pm

There’s a heated debate about this issue over on this thread.

marcusone · March 4, 2021, 9:22pm

How do we turn these notifications off?

wesleygas · March 4, 2021, 10:24pm

I would also really like to disable them!

DavidFW1960 · March 4, 2021, 10:27pm

By fixing your passwords.

I doubt that is going to happen but you never know.

Pepe_Le_Pew · March 5, 2021, 8:49am

I am getting this error in NodeRed, and there are no passwords in NodeRed as far as I know.

Insecure secrets in a0d7b954_nodered
The add-on a0d7b954_nodered uses secrets which are detected as not secure

I would also like to disable this notification, or at least have it tell me where to find my password that it hates.

tonydarby · March 6, 2021, 9:26am

Ok, i tried changing my Samba passwords twice to 15 digit ones using random words and special characters and yet still get the insecure secrets warnings.
What am I doing wrong?

MDSDM · March 6, 2021, 11:07am

Vote for it to be an optional
Hope for enough votes
Hope devs listen to the community

Here’s the link: Opt~out/in Password check to third party

Meanwhile you can block the api call if you don’t want the notifications. (This also includes no check, if you can live with that). This can be done in a few ways, but a simple one is to have api.pwnedpasswords.com either blocked or resolved locally to 127.0.0.1.

marcusone · March 6, 2021, 4:31pm

Has there been an official response to the growing number of people who do not like/want/concerned about this issue?

MDSDM · March 7, 2021, 8:55am

Not what I know of. Discord and GitHub seems silent also.

Traxtar944 · May 11, 2021, 11:52pm

Anyone figure this out? I’m still getting the notification.

DavidFW1960 · May 12, 2021, 12:48am

FIX THE PASSWORD… that is the solution!