Opt-out of pwned secrets warnings

I have an internal service that uses a basic password. Not because it needs to be secure but because the addon required it. I’m now getting pwned notifications all the time. Is there a way to opt out of this new feature?

21 Likes

It is totally annoying and I also can’t figure out how to turn it off.

7 Likes

Speak to the addon maintainer to sort out not using weak passwords, its just bad practice

Checking to see if using weak/insecure passwords enhances HA and i hope they dont make it possible to turn off

1 Like

Sure. It’s a great out of the box setting. But it should be something I as a power user can disable. Even if just via the CLI

12 Likes

sorry no, just stop using weak crap passwords.

Just get a password manager. there are many out there

3 Likes

I use 1Password but thanks for the suggestion. For some basic things that don’t need a unique password it’s nice to use my brain for fast access. I don’t need a notification from HA every day.

12 Likes

but that never breaks the habit then, using a password manager makes it simple, you then dont have to remember a password

(5) You Should Probably Change Your Password! | Michael McIntyre Netflix Special - YouTube

Passsword managers are great for external, don’t bug me if I want to take the risk for internal services.

I think this automation will clear things, haven’t tested it out. Just make one for each notification ID that bothers you.

alias: Clear Notifications (Duplicate)
description: ''
trigger:
  - platform: state
    entity_id: persistent_notification.supervisor_issue_pwned_core_samba
    to: notifying
condition: []
action:
  - service: persistent_notification.dismiss
    data:
      notification_id: supervisor_issue_pwned_core_samba
mode: single
19 Likes

But it isn’t just about your risk, HA are trying to minimise reputational risk for the project and promote best practices

4 Likes

And that’s fine for an out of the box experience. I don’t think anyone is advocating against it. Just let us turn it off.

12 Likes

The “turn it off” option would be a nice touch. Frankly I find it a bit intrusive for someone else dictating how I maintain my personal LAN but… that’s just me.

22 Likes

It’s a good feature.
But it doesn’t take email in to account if I understand it correctly.
So it only says my password is used by some other account.

And why would anyone bother with setting up a good password when the password is saved in a text file unencrypted.
I’m fine that it tells me about issues, but let me decide what to do and where.

9 Likes

Thanks, but my weak password for my MQTT broker on my internal network accessible by nobody but myself is hard coded into several devices that will take over an hour to access and reprogram.
Yes, weak crap passwords are bad, but using ‘user/pass’ means I don’t need to refer to a password manager every time I code something.
This should absolutely be user configurable and snobbishly saying stop using weak crap passwords is super unhelpful.

34 Likes

Stop using weak crap passwords.
I’m not sure why everyone thinks their home networks are impenetrable. The last few weeks there have been reports of Alexa plugins and chrome plugins that were once fine, but wee updated to be malicious. Using weak passwords means these kind of attack vectors can have an easy time gulping up all your data and sending it to a server somewhere.

In fairness, in the OP’s situation he shouldn’t have to use a password at all, his instance is completely local on a trusted network.

Forcing people to use a password only came about because people were blindly exposing their insecure instances to the internet. I don’t think anyone has an issue with enforced passwords - because as you say, it could potentially damage the ‘brand’.

But as per the OP there are many people that didn’t even require any enforcement in the first place, and there’s no reason to continually nag those people at all.

A strong warning with the option to disable the warning continues to protect the brand, but does not inconvenience people who know what they are doing and have simple local services that don’t actually need to be secured in any way.

17 Likes

Its not snobbish at all its just good practice. The quicker vendors or developers enforce us to use better security practices the better and will help us break the habit of using those weak passords.

But that’s me done trying to defend good security practices. I just hope the devs stick to their decision to keep nagging people, just wish there were more developers doing this.

2 Likes

If you want to access my mqtt broker, go right ahead. You’ll learn all sorts of sensitive information like when I open and close my blinds.
If it was made clear that you need a strong password for these services that are already hidden behind other passwords then fine, but it’s a bit crappy that I’ve lived with it for over a year it total knowledge of what is going on and now all of a sudden I’m getting nagged to go around the house and dismantle stuff to change the passwords.
We should control technology - it shouldn’t control us!

16 Likes

I firmly believe as a power user. I should be able to own and deal with the consequences of my actions. If I want to run an insecure installation and use poor passwords I should be able to do that. Especially if its on an isolated network, with no internet connection. Even if there are risks, I should be able to accept these.

The reason many of us use home assistant is because we to control our own infrastructure, not have someone decide this for us. You can preach to implement proper security all day, but that should be the user’s choice. Choices like this are user hostile choices.

In reference to protecting Home Assistant reputation, simply provide a firm warning, but ultimately let the user decide if they wish to see these warnings. (i.e. Enable a toggle “i_like_to_be_pwned”).

I will get a lot of people disagreeing with this statement, but the freedom to own my infrastructure is why I started using Home Assistant in the first place.

42 Likes

This is an across the board.password check. It’s unreasonable to expect different rules for each possible integration. If you need to dismantle stuff to change passwords then you’ve not designed it very well

Thanks. That’s really helpful.
Also, I crashed my car when I was 19. Perhaps you can tell me I wasn’t driving very well?

6 Likes