Opt-out of pwned secrets warnings

I agree. Also if they would check, one check when a new password is inserted is enough

2 Likes

Wow, everyone needs to relax. Arguing with each other solves nothing. A good chunk of these posts are walking the COC line. Everyone, go vote for the feature request and take some time to cool off.

7 Likes

This topic was automatically opened after 15 hours.

This is irritating as hell. And it is not the least bit helpful if it can’t show me the password that was in the pwned database. Am I supposed to go and change every single ‘secret’ which includes I imagine simple usernames used anywhere in Home Assistant?? My username for my MQTT broker is Mikey. I just made that up on the fly and my name is not Michael. But if ‘Mikey’ is in the pwned database as a terrible password, then fine, kind of. But it is not a password. And it doesn’t need to be protected by the HA Nanny. At the very very least this needs to be able to be turned off. But the whole thing should be scrapped as it is just a terrible idea, even if it were to be implemented well, which it was not.

4 Likes

I must agree! This is my setup, my data, my server, my risk. If I want to take that risk it is me that must be able to opt-out.

Have you seen “what you must do to make node red safe”? Howly mowly, that is an awfull lot of work and risk on troubles. And why bother if my samba share is protected by a simple user and pass… I run it in a dmz with only access from 1 single pc on smb.

Please make this undone! Or at least opt out or a kill switch for the warning. Or a good manual on what to do per addon that a message is sent for…

Thanks :roll_eyes:

Edit: from here… not even clear:

4 Likes

Hey, as promised way way back 3 days ago (I would have posted it yesterday but ya’ll got the thread locked), I’m finally back from the land of limited internet and knocked this addon up last night.

It’s very much an at your own risk solution but it’s working for me. Hopefully the devs will give us the opt out option, or at the very least not intentionally break the addon.

6 Likes

Lol that’s a neat trick. Will be undone every supervisor update but could just be started on a schedule or something. Props

That’s fantastic, and it shows the kind of can-do spirit which makes HA such a great product. Thank you!

That said, I hope this add-on doesn’t become “the” solution. It’s one thing to hack out a patch to fix something stupid in a package (I did a lot of that during a long IT career) but as you say, there is risk and administrative overhead.

The right solution would be to put in a proper opt-out in the base code. An additional option to run it on a less frequent basis would be nice for some, but the most critical piece is the opt-out.

1 Like

If you leave it in enabled to run on start it’ll do it every time HA is restarted, I wouldn’t recommend doing that as the next update may have a breaking change so it would be worth investigating before running it.

I agree, I hope to not have to maintain this into the future. Like I said, I get both sides of the argument, but scheduled checking of passwords is definitely not the way to go about it.

If you must check my credentials do it when I’m saving the edits, and even then don’t stop me from saving my edits, you’ve done your due diligence and informed me I’m doing something you disagree with, now let me do it anyway.

2 Likes

This is about passwords within add-on configs. That’s it.

Sorry to cross-post, I mentioned this over on the feature request thread, but…

I haven’t gotten a notification in two days, possibly from around the time I updated Supervisor to 2021.03.03. My automation blocking the notifications hasn’t blocked anything since then, either. Anyone else seeing this?

The only thing that changed was that additional error handling was added:

The addon doesn’t copy the new addon_pwned.py in my installation.
But putting the content by hand solves the password notification problem. So thanks for that.

The new release installed today but no opt out for this annoying thing. What is wrong with the developers?

1 Like

We already have the working solution, though :wink:

Which “new release” are you referring to?

If you mean the latest patch release of Home Assistant (currently 2021.3.3) it plays no part in checking for pwned passwords. That function is performed by Supervisor and the latest version of Supervisor is currently 2021.03.4 which was released 5 days ago.

Screenshot from 2021-03-09 08-28-17

If you are interested in learning what changes the development team is making to Supervisor, you can read the open/closed Pull Requests in the Supervisor repository.

1 Like

No we don’t. That patch is just a band aide. When there is an opt-out or the function is removed, then we will have a working solutiion.

3 Likes

it was attempt to use irony to support John’s statement. hence emoticon

My $0.02 worth (and with everyone else on this thread it comes out to a tidy sum when added up!)…

I think that it is a bit of nannyish to force people to comply with someone’s idea of how you should manage your passwords, but I support a bit of a nudge in the right direction. This is not a nudge, it is a hard push.

When dealing with web sites, I completely understand and support their password rules because that’s publicly accessible, but my home network is not published to the Internet. There are those that will say “oh you think your home cannot be compromised?” and I’m not so naive, but I also realize that if they breached my firewall in the first place then they probably won’t have much trouble getting into pretty much anything else I have in my house, so this is an exercise in futility.

I’m quite security conscious. I use password managers and have, literally, a different 30 character secure password for every publicly accessible account I have. For my internal network I don’t use passwords like “Password”, I use complex passwords, but I have just a few memorized passwords that I use that meet any complexity requirement out there. Just because I used those memorized passwords online at one point in time doesn’t compromise my internal network and my password manager also lets me know when there has been a breach so those passwords were changed ages ago and never get used outside my internal network.

Also, while I have no problem with applications that audit my passwords I have a big problem with that password being checked against an online site without my permission. HASS has crossed a line by sending my password to haveibeenpwed. If I was the target of a hacker and they have spyware on my system that I’m unaware of then HASS just sent a request to a site that has my IP address and at least one password. What happens when haveibeenpwed gets hacked (and they will) and the hacker goes through the logs and sees a request from my public IP to check a password out? They will use that password as their first test to see if my firewall might share the same password, and if it doesn’t then why not hack my firewall and then go to town on every device I own using that password? And since my SSH and my Samba passwords are different, they actually have two. What’s next? Sending every password in secrets.yaml to this site I have not authorized? This is not ok.

All of that being said, it’s the responsibility of the user to decide if they want to use a password and the complexity of that password, I don’t need HASS “big brothering” me by nagging me like shareware throughout the day, thus rendering the usefulness of notifications to zero since I have to ignore them now.

My opinion has been stated, I think this is something that should absolutely be a toggle in HASS. In the meantime, I’m not going to whip myself into a frenzy over one questionable change to an otherwise great piece of software that works great in every other aspect. I’ve added the great automation above, I’ve added domains to my Pi-Hole to stop this nonsense and I move on.

6 Likes

To be fair, the entire password isn’t being sent. It’s the first 5 characters of a hash of the password. I’m not condoning the action at all. Just pointing out that it’s not the full password that is being sent.

1 Like