I agree it was probably well-intentioned. And far be it from me to denigrate any of the wonderful developers who contribute so much of their time and effort to this project.
But I can’t help but wonder what sort of developer would think it’s a good idea to perform this kind of function hourly, and not give any option to throttle it or opt out of it.
Even disregarding the security concerns, the whole reason HA exists is to give the world something better than appliance-type solutions which allow only limited local control and force the vendor’s preferences on every user.
Every other part of HA allows the administrator to configure it to their own needs, or skip installing it in the first place. Where would the idea to do this one differently come from?
It’s worse than that. They’re sending the partial hash for all your secrets, in the same order every time. No randomization, no salting of the list. This is a textbook example for fingerprinting the calling device. And the third party could then start tracking when and how you change your passwords, if you change it into vulnerable ones, track your IPs using the fingerprint (are you using VPNs from time to time, are you changing your ISP, etc).
Worst case, settle on a version and fork it. Of course that’s far from ideal if you have cloud based services, etc.
Add me to the “Yes I would like to opt out.” List.
The Pwnd site is too much of a “one size fits all” For example If your password is “asdfghjkl” that is very common (over 400K hits) If you password is “LexusES” that is still Pwnd even though it is only on their list 3 times. Both generate a warning. But one is considerably better than the other (and I’m not sure it is LexusES, a longer password is almost always better than a short one).
Ironically, “LexusES!” is OK and “passes” but every hacker knows that putting an ! at the end of a password makes it no more secure (many argue that is slight less secure in some cases) . Sites/Systems that require a “special character” just causes 80% of users to put an ! at the end (and now the hacker knows one of the chars to guess).
About 5 years ago Microsoft’s Head Office did a corporate audit of their employees passwords… Over half were “Seahawks##” where the ## was the number of the month. 01-12… (those are all Pwnd too most with low double digits). They forced a special Charter, did another audit and Most of the passwords were “Seahawks##!” .
I guess it is better than nothing, but only slightly.
This have to be a user option to be able to disable this password check. For me this is a annoying Bug more than a feature.
My local network, my choice of passwords.
Seems there are more and more solutions coming up to circumvent this from happening. Thank you very much for a great community. Please apply any solution at your own risk. Hopefully, this feature in the future will be optional.
Have tried to put it in adguard addon custom filtering rule… but I doubt it will work… thought homeassistant bypasses the dns. If this doesn’t work I will block via my firewall.
Did this already get fixed? I just noticed my Samba Notification Block automation hasn’t blocked anything in two days, nor have I gotten any notifications since then.
That may be around the time I updated Supervisor to 2021.03.03, I don’t recall exactly. I just went to .04 and so far no notifications or automation triggers about passwords yet.
Is it over?
[Edit: No, I finally realized it wasn’t showing up in the logbook because I’d (wisely) excluded the automation from Recorder. No sense filling up yet another log. The password check is already doing enough damage to my SD card, running hourly.]
I’m in no way trying to be up in your face about this, but it might give you some peace of mind if you read up on how you’re passwords actually AREN’T harvested:
This paragraph explains it nicely:
" Suppose a user enters the password test into a login form and the service they’re logging into is programmed to validate whether their password is in a database of leaked password hashes. Firstly the client will generate a hash (in our example using SHA-1) of a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 . The client will then truncate the hash to a predetermined number of characters (for example, 5) resulting in a Hash Prefix of a94a8 . This Hash Prefix is then used to query the remote database for all hashes starting with that prefix (for example, by making a HTTP request to example.com/a94a8.txt ). The entire hash list is then downloaded and each downloaded hash is then compared to see if any match the locally generated hash. If so, the password is known to have been leaked."
I think everyone appreciates that aspect of the check, and the benign nature of the hashing.
What they don’t appreciate is not having the function to:
Disable / Enable the service
Mute the warnings partially or totally
The unannounced nature of the change meant the usual super-excitement of release day became super-annoyance at an unrequested, uncontrollable announcement to a third-party business.
It has probably not gone unnoticed that HIBP was looking for a buyer in 2019 though that seemed to stall in March last year.
Having a global, intimate, and popular software such as HA checking daily on the service would certainly enhance its value.
