This have to be a user option to be able to disable this password check. For me this is a annoying Bug more than a feature.
My local network, my choice of passwords.
Seems there are more and more solutions coming up to circumvent this from happening. Thank you very much for a great community. Please apply any solution at your own risk. Hopefully, this feature in the future will be optional.
Here are som mentioned:
@123 edited the code according:
@code-in-progress just blocked api.pwnedpasswords.com in his firewall. Simple and effective.
@Freman Wrote an add-on:
I just did this until the developers offer an official patch. My first black listed URL, HASS is always teaching me something new!
Have tried to put it in adguard addon custom filtering rule… but I doubt it will work… thought homeassistant bypasses the dns. If this doesn’t work I will block via my firewall.
My favourite is sending websites videos of this
- Your password must be 8 characters long
- Your password must contain a lower case letter
- Your password must contain an uppercase letter
- Your password must contain a symbol
- Your password must contain a number
Passw0rd!
All requirements satisfied, and it’s less secure than any of the ones I would have put in there otherwise.
That’s nine characters long
Did this already get fixed? I just noticed my Samba Notification Block automation hasn’t blocked anything in two days, nor have I gotten any notifications since then.
That may be around the time I updated Supervisor to 2021.03.03, I don’t recall exactly. I just went to .04 and so far no notifications or automation triggers about passwords yet.
Is it over?
[Edit: No, I finally realized it wasn’t showing up in the logbook because I’d (wisely) excluded the automation from Recorder. No sense filling up yet another log. The password check is already doing enough damage to my SD card, running hourly.]
I have supervisor-2021.03.4 and still seeing my automation running so it isn’t over… for me anyway.
I beg to differ… C0wb0yz96! You probably recall the score…27-17 over the steelers. mohhh ha ha ha ha
Super strong password!. No one would use Cowbows as a password in the last 20 years.
I’m in no way trying to be up in your face about this, but it might give you some peace of mind if you read up on how you’re passwords actually AREN’T harvested:
This paragraph explains it nicely:
" Suppose a user enters the password test
into a login form and the service they’re logging into is programmed to validate whether their password is in a database of leaked password hashes. Firstly the client will generate a hash (in our example using SHA-1) of a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
. The client will then truncate the hash to a predetermined number of characters (for example, 5) resulting in a Hash Prefix of a94a8
. This Hash Prefix is then used to query the remote database for all hashes starting with that prefix (for example, by making a HTTP request to example.com/a94a8.txt
). The entire hash list is then downloaded and each downloaded hash is then compared to see if any match the locally generated hash. If so, the password is known to have been leaked."
I think everyone appreciates that aspect of the check, and the benign nature of the hashing.
What they don’t appreciate is not having the function to:
- Disable / Enable the service
- Mute the warnings partially or totally
The unannounced nature of the change meant the usual super-excitement of release day became super-annoyance at an unrequested, uncontrollable announcement to a third-party business.
It has probably not gone unnoticed that HIBP was looking for a buyer in 2019 though that seemed to stall in March last year.
Having a global, intimate, and popular software such as HA checking daily on the service would certainly enhance its value.
/tin-foil
They’re America’s password…
I vote for an option to disable this. No need to have this on a local, secured network, behind a firewall, with no outside access.
And who’s idea was it to check every hour?
If a password is changed, the supervisor needs to be restarted anyways before it takes effect, so why not check just once when the supervisor starts.
Huh??? Um no it doesn’t
I guess it’s not a problem as the check won’t reach the 3rs party then?
Not only does there need to be a general opt-in/out option for this, there should also be a) the ability to disable warnings for specific items, and b) the ability for users to set how frequently the system checks passwords.
As it stands now this is a perfect setup for creating “alarm fatigue”. Users who have a potentially compromised password they can’t change or can’t change easily will simply ignore the notification icon, potentially missing a newly compromised password that they may actually be able and wanting to fix.
I don’t appreciate the check, it is extra processing and extra bandwidth that is just a waste. I know exactly which of my passwords are strong and which are weak. I understand the risk. and frankly HA is at a level of complexity that I would bet that 90% of the users here are at a tech level where they could probably teach most old school system administrators a thing or two.
Regardless if the lookup is hashed or not and if HIBP is safe or not… This needs an option to be disabled.
Let me re-phrase that: “with no access from the outside”.
Ja, Home assistant has limited access through the firewall to do it’s own things, but the only way into home assistant is via a https enabled caddy server, etc, etc