Opt-out of pwned secrets warnings

I don’t care what guaranties are given by K-Anonymity. Sending any data to third party without my permission, particularly (albeit coded) password details, is not on! We need a way to disable this.

27 Likes

The car analogy is great.

If I run a car in a closed confined space (my private area). I basically can legally dismantle just about anything from that car. It’s up to me how I want to operate it.

I’ve blocked my HA from internet now.

Probably look into either the source code or so, to block the recipient of data.

3 Likes

This.

It seems that the longer HA moves forward the more this concept seems to get trampled on.

Seriously?

Not every implementation of Iot devices allows over the air updates.

And not every OTA update finishes successfully.

In either of those situations you will then need to “dismantle” something (even if it’s just taking off the wall plate for your switch to gain access to the device).

And it was all forced on someone who kept getting nagged to update a password when there was no reason to be concerned in the first place. Or if there was a reason the person actually used their autonomy to decide to do it anyway.

But…

Is this only affecting supervised installs? Makes me wonder based on this:

10 Likes

It’s completely horrible practice.

Anyone who have security cameras/alarm and locks hooked up, should check their terms & conditions. There is a significant risk that their insurance will be voided due to sending password data to a third party provider.

6 Likes

That is wrong :slight_smile: most attacks come from an internal network with software installed over exploits or add-ons as well or guest devices. You need more carefull from attacker on your network as from outside.

6 Likes

Spot on. Whether you are on my network or not, you crack my home assistant credentials and you have access to my MQTT broker. So I could have the most secure password in the universe and it wouldn’t matter.

6 Likes

If they are already on the LAN and have access to the homeassistant configuration, then they also have access to the secrets file where all the passwords are stored in plain text anyway, so that’s a moot point.

16 Likes

I just added the pwned domains to my pi-hole. Hopefully this will stop the absurd behaviour of HA. I don’t need an app sending unneeded data out over my metered connection.

11 Likes

please let me know if that works for you to add them to adguard. (if is not a trouble can you share your list)?

2 Likes

FWIW this automation works well for me Muting pwned secrets warnings

I’d rather the feature be something I can opt-out of. But at least I can just automatically dissmiss the notification when it appears.

I don’t want to just “mute” them. I want to eliminate them completely.

1 Like

I’ve updated the thread title to make that distinction more clear as well.

I’m using pi-hole, not adguard. I was able to add the domains ‘haveibeenpwed.com’ and ‘pwnedpasswords.com’ as wildcards so anything sent to a domain that has those as part of the domain are basically tossed.

5 Likes

Ironic to me that HA has a file called secrets.yaml where passwords are stored.

9 Likes

I’m not mad at the feature, but I like a lot of folks use simple passwords for things that aren’t exposed to the internet.

I don’t think they’re doing any of this “trying to promote best practice” nonsense that one guy was talking about, but simply giving us an alert mechanism to let us know we have a potential issue.

What I’m annoyed by is the fact that, from what I’ve seen, I don’t get a specific integration that could be exposed.

I do want to know if there is a potential security risk, but don’t annoy me about internal passwords.

There should be a choice to mute each instance of this individually like an Android app. Let me choose which things I want to be notified about and which I don’t.

Then, it will be an even better tool.

5 Likes

This just sucks… My password has a part that probably some other people will use also, but also a random part. Still I get this warning time after time.

I would need to put a lot of time in getting everything up and running again with MQTT and Zigbee2MQTT. This isn’t done in a couple of minutes with my devices… I’ve +20 of those.

1 Like

Two passwords that only differ on one character will not create the same-ish hash.
You can “test” hashed here: SHA256 - Online Tools

So your random part is probably not as random as you think.

Nagging me about this forces me to revert back to an older version.
How good is that for the projects “reputation”?
Nobody desides how I protect and manage my environment, neither should HA.

5 Likes

I don’t use a simple password. Though it is in haveibeenpowned db. Why? Because Adobe had weak security and my password got snatched. Though that password is complicated enough for people not to get why I would use it. So it’s not so much a discussion about simple passwords. It’s about being in the db. Like anybody is going to do a brute force attack on my HA instance. Which is behind a VPN, on a separate VLAN from all other stuff. Maybe I should block HA from doing that query all together, but should I have to go that far? Or should HA not be so intrusive?

9 Likes