That wasn’t the case for me, although the add-on I had came from a repository that I had added myself for this specific integration, so not sure if this makes a difference. Mine started and ran OK, with a permanent notification warning me of a disclosed password until I corrected it.
That’s odd, docker should definitely be part of the container.
Did you disable protected mode? That needs to be done so the container can access docker APIs and other containers, perhaps HA doesn’t build with docker if protected mode is enabled?
I am referring to the “Home Assistant Community add-ons” repository. Not add-ons from any repo anywhere from other members of the community in general.
They aren’t handled differently. The creators of the addons don’t add it in. All the ones made by HA follow a standard. Custom addons typically do not follow any standard.
I’m obviously lost already.
NodeRed and mqtt are community addons. NodeRed is made by frenck. At the same time those are one of many which causes problems with new feature.
Bad security posture is bad security posture. No ifs or buts. Go change your passwords.
Sure it’s a “local trusted network”, which is only a bad firewall rule or a device compromise away to lose either the “local” or the “trusted” adjectives.
Can’t get to it right now and want a longer “snooze” time? Understandable. Snoozing it forever ? Does not make sense.
Let’s get rid of bad passwords. One of the reasons many people decided to deploy Home Assistant was to get away from vendors who are clueless about security, with bad passwords being a major factor. Let’s not behave like clueless vendors.
Except… It’s not about bad passwords.
It’s about passwords that has been leaked.
You can have a 100 character password and it will be flagged as “bad” because someone else used the same password on a different site that was breached.
How does that make the password “bad”?
Let’s get rid of of passwords at all, especially in cases where they are not necessary. And I, as a user of open source software, should be the only one who decides whether password is strong enough or even required. I don’t need to be lectured by anyone else about my password strength. Sure, suggestion is fine, but inability to turn it off and even turning it on without any notice or question is very bad in my eyes. Please don’t leak ANY information about my passwords to the internet, even if those were just 5 characters of my password’s hash!
I can’t believe we keep coming back to arguing password policies. That is irrelevant.
The issue is forcing some developer’s personal opinion about how passwords “should” be managed, and their personal preference as to the process used to enforce that, on every HA user… every hour.
Forget about passwords and look at the big picture. The fact is, not everyone in HA agrees that this process needs to be done every hour, needs to be done using this particular third-party solution, or even needs to be done at all.
In every other respect, HA is all about giving us - the people installing the system - options.
How can anyone possibly think that’s not a good idea?
Hi folks, I’m the creator of Have I Been Pwned and the Pwned Passwords service. I also love Home Assistant and have just read through this whole thread. I think this feature should be configurable and it looks like that’s coming, which is great. But there’s also a heap of content here which really misses the mark in terms of both the risk of bad passwords and how Pwned Passwords works. I’ve just published a blog post to address this so rather than go through it all one by one here, have a read of the post if you’re interested and ask any questions in the comments over there: https://www.troyhunt.com/home-assistant-pwned-passwords-and-security-misconceptions/