People thinking that their home network, their private network, is 100% secure clearly don’t know much about IT security and the various threat vectors. Unless you’ve spent thousands on expensive intrusion detection kit and AI to detect changing threats then it’s not. Even then, it’s probably not.
Passwords are not perfect, but it is what we have today. It would be nice if all our IoT devices supported OAUTH2.0 or mutual SSL, but they don’t.
All this change is doing is ensuring you haven’t set a password that hasn’t been compromised, I really hope you don’t use these passwords elsewhere on the internet!!
The worst kind of password is an already compromised password. They are usually the first used in an attack. Passwords should NOT have to be complex (requiring upper, lower, symbol, number) as that isn’t anymore secure, in fact it’s less secure ( NIST Password Guidelines and Best Practices for 2020 (auth0.com), they just need to be long (preferably over 10 chars) and NOT be compromised elsewhere.
I fully agree. My name was used as well. It was just an observational opinion and now mr Troy, who has a business and a name to run “uses” my “hobby” opinion out of context.
Edit… I have thought about a bigger response to discuss what he wrote there… But I think I have nothing to gain with that. I use homeassistant purely as a hobby and just have some doubts about all this “forced education” on password usage. It’s not my cup of tea atm. Although I fully agree it is better to use secure passwords.
And to respond a little on my previous post, since the time homeassistant “added” this feature the extra traffic (api) to HIBP can filter all homeasssitant users out. Again, I have no other devices deliberately asking info from his platform. I think (personal hobby opinion) you do not have to be a very good data analyst to trace back the source of the request (IP address, hash of password being checked etc.).
But as Troy said… we have to trust him.
And what I also thought lately… what if Microsoft would have just added this “feature” in a windows update? I think the world would have be too small and it would have made it into all mainstream media
Like software that you installed being automatically updated to suddenly do something with your personal data that you didn’t consent to? Yeah that’s quite a big threat to your security. Most of us in this thread thought that the devs would never do such a thing, that’s why we used it in the first place.
Ah, so you welcome the devs using your personal data in a way you didn’t consent to? So if in a weeks time they forcibly update your system to add your location to a publicly available map of all home assistant users will that be OK?
Fact is that this change overstepped the mark and people should have been given the choice whether or not they wanted to participate having been given all the facts of how it worked up front. Likelihood is that 99.999% would have happily accepted the change in those circumstances without issue.
Instead you now have a huge swathe of end users who feel violated and upset, and rather than trying to allay their fears most of the responses from ‘technical’ users, major contributors and senior devs has been sarcasm, derision and dismissal. That’s really poor by anyone’s standards.
Not only would it overflow the usual media outlets, it would most certainly trigger legal action against Microsoft.
I read the blog from the HIBP owner. What can I say. It’s exactly that kind of I’m always right and you’re wrong if you don’t agree mind set that makes anti-features like this one possible. But @CaptTom said it much better than I could in his post above. If anything, it made me lose the last yotta of trust I could have had in the HIBP website.
Anyway, I’m out of this discussion. It leads nowhere. This isn’t about the feature anymore, it’s about the ego of certain devs who just can’t handle the fact that the community pushes back on one of their pet features. I use HA Core only, so I’m not (yet) impacted. At least I can always patch stuff like that out of the code. If things like that become the new norm, I’ll have to find a way to manage my home without HA in the future.
Homeassistant is using the passwords (data) in a way that was not intended or consented to by the end user. The end user added the password with the sole intention to connect to a specified service, homeassistant is using it to compare against a list provided by a third party who may or may not be trusted by the end user. There are many reasons why people may not want to use this service, and that should be their choice.
I feel like I already covered this, but I NEVER said they were?
I do understand how it works and I am not angered by it. I have not been adversely affected by this change and always use strong unique passwords and additional authentication options wherever possible. As I pointed out in my post (that you chose to ignore the contents of, but reply to anyway) it is the enforced delivery and poor implementation of the feature and the subsequent behaviour of people who should know better that is a problem here, not the feature itself.
That said, if HIBP was ‘sold to the highest bidder’ tomorrow I would want the option to disable this feature until I had the opportunity to decide how much I trust the new owners - anyone who argues against the concept of a toggle switch for this feature is asking for trouble purely on this basis alone. Even the owner of HIBP agrees! Therefore, this feature should not have been implemented ‘gung-ho’. Five minutes of thought before mucking around with people’s private data should not be too much to ask, especially on a platform that bills itself as privacy conscious.
Interesting. Either you don’t understand the difference between a website and a browser, or you’re talking about a built-in password manager. I’ll assume the latter…
Browsers’ password managers can be turned off. Presumably you leave yours switched on. That’s cute. Browser password managers are generally not themselves password/2FA protected, don’t generate particularly strong passwords and are tied to the browser - you should consider using something more secure.
Can you offer any more details? Is it a full opt-out or does it just suppress the nagging? Can the checks be allowed but less frequently? Only at the first use of the password?
And, of course, when will it be available?
Since making the change without much discussion didn’t work out so well, perhaps having a discussion about the fix before implementing it might not be a bad idea.
IHBP fails that test too. Lots of ridiculously long pass phases fail their test too. IHBP is a “one size fits all” processes that does not encourage best practice password/phases. Take a really bad password add an ! or * on the end and suddenly it passes IHBP… It is still a terrible password.
If this was a problem, force a two factor authentication. Any system that “lives” out side of your firewall should have 2 factor turned on as well as an IP block for failed attempts… That is pretty much the best that a home user can do.
The fact that every HA Pi is “pinging” the HIBP service every hour, in an incredibly inefficient brute force manner makes me think that something else is at play here. Any reason that IHBP would want to see a significant increase the use of its service?
The use of an external service receiving user data, even if only the IP address which allows at least for geolocalization, falls within the definitions of “personal data” according to Art. 4 of the European GDPR.
This requires explicit consent received from the data subject (i.e. the user), as for example the same happens for the use of cookies when browsing websites.
Therefore the user should give explicit consent to the use of his data by the HIBP service, since a generic consent to use of the Home Assistant system and services cannot be considered sufficient.
Moreover, according to the Art. 13 GDPR, the user should have been given detailed information about the controller, included the identity and the contact details of the controller i.e. the IHBP, and even have the right to object (Art. 21 GDPR)
Finally, everything considered, “Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.” (Art. 77 GDPR)
what’s the IP it checks with? I can simply block that in my router. Not happy with this leak of hashes leaving my network without my control, knowledge or permission.
I have a device which I have firewalled all IPs except those necessary, but it has password limitations of 6 characters and numerals only.
To anyone interested, the password check can now be disabled with the command below in the CLI using the latest versions of either the core-ssh add-on or the community ssh add-on:
Terminal & SSH (core) version 9.1.0
SSH & Web Terminal (community) version 8.0.4
ha resolution check options --enabled=false addon_pwned
and then ha host reboot
