Opt-out of pwned secrets warnings

Hey Shanon, don’t see anything in logs, where should it be?

Would show up on the page for the add-on on the last tab after you ran it.

I have no password stored in secrets.yaml, it’s still the default file created by HA during installation, but however I get the 2 notifications:

# Use this file to store secrets like usernames and passwords.
# Learn more at https://www.home-assistant.io/docs/configuration/secrets/
some_password: welcome

Do you think it’s enough if I clear this file, or anyway the passwords are also searched elsewhere in HA?

Turns out I was wrong. It’s not checking secrets.yaml at all.

Ok found it
Here the log

[s6-init] making user provided files available at /var/run/s6/etc…exited 0.
[s6-init] ensuring user provided files have correct perms…exited 0.
[fix-attrs.d] applying ownership & permissions fixes…
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts…
[cont-init.d] done.
[services.d] starting services
[services.d] done.
/app/run.sh: line 3: docker: command not found
Supervisor not detected, exiting
[cmd] /app/run.sh exited 1
[cont-finish.d] executing container finish scripts…
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.

That wasn’t the case for me, although the add-on I had came from a repository that I had added myself for this specific integration, so not sure if this makes a difference. Mine started and ran OK, with a permanent notification warning me of a disclosed password until I corrected it.

That’s odd, docker should definitely be part of the container.

Did you disable protected mode? That needs to be done so the container can access docker APIs and other containers, perhaps HA doesn’t build with docker if protected mode is enabled?

Yes in disable mode and rebuild also.

I am referring to the “Home Assistant Community add-ons” repository. Not add-ons from any repo anywhere from other members of the community in general.

no official way i am aware of, but you can vote for the feature here Opt~out/in Password check to third party - Feature Requests - Home Assistant Community (home-assistant.io)

Interesting that they are handled differently. This doesn’t feel right anyway…

They aren’t handled differently. The creators of the addons don’t add it in. All the ones made by HA follow a standard. Custom addons typically do not follow any standard.

I’m obviously lost already.
NodeRed and mqtt are community addons. NodeRed is made by frenck. At the same time those are one of many which causes problems with new feature.

Yep, you must be. These are the official addons: https://github.com/home-assistant/addons

Bad security posture is bad security posture. No ifs or buts. Go change your passwords.

Sure it’s a “local trusted network”, which is only a bad firewall rule or a device compromise away to lose either the “local” or the “trusted” adjectives.

Can’t get to it right now and want a longer “snooze” time? Understandable. Snoozing it forever ? Does not make sense.

Let’s get rid of bad passwords. One of the reasons many people decided to deploy Home Assistant was to get away from vendors who are clueless about security, with bad passwords being a major factor. Let’s not behave like clueless vendors.

4 Likes

Except… It’s not about bad passwords.
It’s about passwords that has been leaked.
You can have a 100 character password and it will be flagged as “bad” because someone else used the same password on a different site that was breached.
How does that make the password “bad”?

7 Likes

Let’s get rid of of passwords at all, especially in cases where they are not necessary. And I, as a user of open source software, should be the only one who decides whether password is strong enough or even required. I don’t need to be lectured by anyone else about my password strength. Sure, suggestion is fine, but inability to turn it off and even turning it on without any notice or question is very bad in my eyes. Please don’t leak ANY information about my passwords to the internet, even if those were just 5 characters of my password’s hash!

9 Likes

Non-unique passwords are “bad”, because that same database is available to everyone.

I can’t believe we keep coming back to arguing password policies. That is irrelevant.

The issue is forcing some developer’s personal opinion about how passwords “should” be managed, and their personal preference as to the process used to enforce that, on every HA user… every hour.

Forget about passwords and look at the big picture. The fact is, not everyone in HA agrees that this process needs to be done every hour, needs to be done using this particular third-party solution, or even needs to be done at all.

In every other respect, HA is all about giving us - the people installing the system - options.

How can anyone possibly think that’s not a good idea?

19 Likes

I would like to change the NUT password for my Synology NAS, but sadly that always gets reset back to default when I install a DSM update.

Great feature though! Strong passwords are always a good thing. I couldn’t survive without KeePass anymore.