Opt-out of pwned secrets warnings

:joy: perfect

2 Likes

/takes a bow :wink:

2 Likes

None of the password managers reveals where the password is used.
Here you can find the pattern on GitHub.

Comment from the peanut gallery:
The only truly effective IT security between your environment and the Internet has to be at the single port (pun intended) of entry… your router/firewall. Managing security from multiple points will doom you to leaks… so stop trying to secure your place with application based software.
Now if you’re concerned with security issues within your LAN/Organization/Family… you’ve got other issues that cannot be dealt with via software and really shouldn’t be discussed in public. :slight_smile:

There are no such thing as internal or external, only layers of security :slight_smile:
Getting a simple foothold, and being able to move easily between systems is always nice with bad passwords, then you don’t have a footprint on the systems that are ‘important’ until the killshot is done.
Uh, of course I know nothing about such things, so ignore my input…

1 Like

Feature request put in place for making this an option:
Opt~out/in Password check to third party?

If you prefer it as optional, pls vote.

9 Likes

imho, it’s silly we must enter long discussions or vote to make things be done right.

but I did vote anyway.

8 Likes

This is the reason why i signed up for this comunity.
The question was how to get rid of this warning, not what about your hopes for HA (Home Assistant).
If poeple are using HA it is most likely for the flexibility of the product. So if anyone asks for restrictions, he is promoting any closed solution. And how well this worked in terms of ‘security’ we have seen so many times. So please ‘inform’ about the situation once, but let me decide what to setup and how.

10 Likes

Thanks a whole bunch for this… I always find it difficult to figure out the relevant trigger object. You are a gentleman and a scholar.

1 Like

Quite sure.

I have Terminal & SSH installed. I do not have SSH & Web Terminal installed.

More to the point, the ‘warning’ message says core_ssh, which doesn’t appear to be either of those, and is not a clear message.

That’s the real heart of my complaint. The notification isn’t useful because it doesn’t contain enough information to be actionable by the average end user.

For now, I’ve set up the previously recommended automation that clears these worse-than-useless notifications as they come in, but that is a totally unacceptable solution as anything other than a bandaid.

3 Likes

Regarding the seat belt analogy. There is a hidden option to disable the tones on Subarus. Even on US models. I believe other cars have this in EU/CAN as well. I know for certain Audi does.

I would love to see an option to disable this HIBP check.

Check the names again. You are now claiming to have the one from the core repo, and not the one you mentioned at first. This is why I shared the screenshot. There are two and they have similar names but are not the same. One is from the core repo, and the other is from the community repo. The one from the community repo has many extra features.

All the add-ons from the core repository are prefixed with core-

If you are running Terminal & SSH, you are running core ssh. The add-on slug names are visible in your url address bar:

image

1 Like

Interesting. I changed my password in that app to one I had never used before, and when the messages kept popping up, I assumed that was not the problem. I guess I must not have clicked Save.

Thank you for the assistance.

That said, this is still a terribly implemented feature that (lightly) violates our privacy without our permission, and provides feedback that is incomplete, making it difficult to act on.

2 Likes

What are you talking about? What data? (irt to my homeassistant).

I don’t want hassio send my passwords, my password hashes or part of them to anybody!
If someone will expoit pwnedpasswords.com they will know that at my IP adderres have wake password associated. Not so cyber safe!

2 Likes

Most likely they do not have your IP.
And even if they do then they only have five characters of the hash of your password.
Not even close to be enough.
And they don’t have your username, so yet again, not enough.

Even with your username, IP and the hash of your password then it would still be “impossible”.
A hash can’t be reversed, and brute forcing a hash is calculated to take far to long to be realist method for hacking.

If I had your IP, and username then I would probably first try a “social attack” meaning you learn from social media and other online activity what the person’s password could be.

Chances are that a person who is in to sailing or football would have a password on topic of sailing or football.

And that is a very good way to hack someone. It is very likely that you succeed using that method.
So if you want a good password then don’t bother with if the password had been used by someone else, make sure it’s unrelated to you.
If you like football then have “competitiveswimming” as your password.
It’s long, it’s unrelated. You could add number, say 1905 which is also unrelated to you in the middle of one of the words “comp1etiti9veswim0min5g”.

To add to everything, if you use Nabu casa then the port will be blocked in your router meaning they can’t get in there either.
The request will be from your IP, but to get to your IP you need to got to blablabla.nabu.casa.

1 Like

Of course they have your IP. You connected to them (well, the HA Supervisor did).

Of all your passwords. That’s already a lot. They can use this information to run a dictionary attack on your system without even connecting to it. If they wanted they could have entire botnets running dictionary attacks on all of your passwords 24/7 without you ever knowing about it. Passwords that don’t match can easily be weeded out using the partial hash. They’ll be left with a small subset of candidates they would have to actually try against you in an active way.

The fact that we are still discussing this issue is absurd. This ‘feature’ is a subversion of what HA stands for. It is a violation of the users privacy. At this point I would fully expect a developer to come forward and say, OK guys we messed up with that one, we added a consent dialog with opt-in / opt-out checkbox on the next release. And the issue could be closed.

5 Likes

You are just guessing.
There is no fact that there is an database with your IP and the characters you sent to them.
I call bullshit, prove to me that exists and we can discuss it further.

You can’t build a dictionary of an incomplete hash.
It doesn’t work that way.
The first characters of the hash does not relate to the first characters of your password.
It’s not like anyone can make out that your password starts with…

Try out different hashes and you will see that they do not relate to each other.

No… but you can find all known passwords in dictionaries by partial match of hashes. You can also try generating the passwords and then hashing them before trying against your system. it minimizes number of failed attempts.
No offense but It’s you who are still making assumptions showing lack of knowledge in this area.

BTW AFAIK SHA1 is considered non-secure for about ten years now… Another “good” decision.

1 Like

I’m not guessing, that’s how the internet works… If you connect to a site, they have your IP. Look up how TCP/IP works…

That’s not what I was saying. Reread my post. A hash (even a partial one) is a validator for a password. It will tell you with 100% certainty if a specific string (either through brute force or through a dictionary) cannot be your password. It can be used to rule out vast amounts of attempts without needing a connection to your system.

So basically, should that third party site ever go rogue, then this shiny new HA security feature will make attacks on your system easier - regardless of how good your password is.

3 Likes