Opt~out/in Password check to third party

Dixey · March 7, 2021, 1:18am

All this password security discussion has convinced me to change all my passwords from 12345 to 54321

stephack · March 7, 2021, 1:38am

Thanks for creating this feature request @MDSDM.
I’ve already discussed my disappointment with this decision here:

MDSDM · March 7, 2021, 5:26am

Amazing. Everyone knows it should be Steelers##!

MDSDM · March 7, 2021, 5:31am

So I noticed. I get a slight headache from this… but I’m hoping for at least some dev to chip in here. But not holding my breath.

banditdk · March 7, 2021, 9:51am

This have to be a user option to be able to disable this password check. For me this is a annoying Bug more than a feature.
My local network, my choice of passwords.

MDSDM · March 7, 2021, 4:56pm

Seems there are more and more solutions coming up to circumvent this from happening. Thank you very much for a great community. Please apply any solution at your own risk. Hopefully, this feature in the future will be optional.

Here are som mentioned:

@123 edited the code according:

@code-in-progress just blocked api.pwnedpasswords.com in his firewall. Simple and effective.

@Freman Wrote an add-on:

ur7x · March 7, 2021, 6:09pm

I just did this until the developers offer an official patch. My first black listed URL, HASS is always teaching me something new!

sender · March 7, 2021, 9:24pm

Have tried to put it in adguard addon custom filtering rule… but I doubt it will work… thought homeassistant bypasses the dns. If this doesn’t work I will block via my firewall.

Freman · March 8, 2021, 12:34am

My favourite is sending websites videos of this

Your password must be 8 characters long
Your password must contain a lower case letter
Your password must contain an uppercase letter
Your password must contain a symbol
Your password must contain a number

Passw0rd!

All requirements satisfied, and it’s less secure than any of the ones I would have put in there otherwise.

Troon · March 9, 2021, 9:02am

That’s nine characters long

CaptTom · March 9, 2021, 11:58am

Did this already get fixed? I just noticed my Samba Notification Block automation hasn’t blocked anything in two days, nor have I gotten any notifications since then.

That may be around the time I updated Supervisor to 2021.03.03, I don’t recall exactly. I just went to .04 and so far no notifications or automation triggers about passwords yet.

Is it over?

[Edit: No, I finally realized it wasn’t showing up in the logbook because I’d (wisely) excluded the automation from Recorder. No sense filling up yet another log. The password check is already doing enough damage to my SD card, running hourly.]

danbutter · March 9, 2021, 2:01pm

I have supervisor-2021.03.4 and still seeing my automation running so it isn’t over… for me anyway.

pauly7300 · March 9, 2021, 2:25pm

I beg to differ… C0wb0yz96! You probably recall the score…27-17 over the steelers. mohhh ha ha ha ha

ur7x · March 9, 2021, 2:31pm

Super strong password!. No one would use Cowbows as a password in the last 20 years.

BeardDad · March 10, 2021, 3:58pm

I’m in no way trying to be up in your face about this, but it might give you some peace of mind if you read up on how you’re passwords actually AREN’T harvested:

This paragraph explains it nicely:
" Suppose a user enters the password test into a login form and the service they’re logging into is programmed to validate whether their password is in a database of leaked password hashes. Firstly the client will generate a hash (in our example using SHA-1) of a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 . The client will then truncate the hash to a predetermined number of characters (for example, 5) resulting in a Hash Prefix of a94a8 . This Hash Prefix is then used to query the remote database for all hashes starting with that prefix (for example, by making a HTTP request to example.com/a94a8.txt ). The entire hash list is then downloaded and each downloaded hash is then compared to see if any match the locally generated hash. If so, the password is known to have been leaked."

Bit-River · March 10, 2021, 4:54pm

I think everyone appreciates that aspect of the check, and the benign nature of the hashing.

What they don’t appreciate is not having the function to:

Disable / Enable the service
Mute the warnings partially or totally

The unannounced nature of the change meant the usual super-excitement of release day became super-annoyance at an unrequested, uncontrollable announcement to a third-party business.

It has probably not gone unnoticed that HIBP was looking for a buyer in 2019 though that seemed to stall in March last year.

Having a global, intimate, and popular software such as HA checking daily on the service would certainly enhance its value.

/tin-foil

Dixey · March 10, 2021, 4:59pm

They’re America’s password…

rarroyo · March 10, 2021, 11:49pm

I vote for an option to disable this. No need to have this on a local, secured network, behind a firewall, with no outside access.
And who’s idea was it to check every hour?
If a password is changed, the supervisor needs to be restarted anyways before it takes effect, so why not check just once when the supervisor starts.

DavidFW1960 · March 11, 2021, 12:02am

Huh??? Um no it doesn’t

samnewman86 · March 11, 2021, 12:04am

I guess it’s not a problem as the check won’t reach the 3rs party then?