That is wrong 
most attacks come from an internal network with software installed over exploits or add-ons as well or guest devices. You need more carefull from attacker on your network as from outside.
6 Likes
Spot on. Whether you are on my network or not, you crack my home assistant credentials and you have access to my MQTT broker. So I could have the most secure password in the universe and it wouldn’t matter.
6 Likes
If they are already on the LAN and have access to the homeassistant configuration, then they also have access to the secrets file where all the passwords are stored in plain text anyway, so that’s a moot point.
16 Likes
I just added the pwned domains to my pi-hole. Hopefully this will stop the absurd behaviour of HA. I don’t need an app sending unneeded data out over my metered connection.
11 Likes
please let me know if that works for you to add them to adguard. (if is not a trouble can you share your list)?
2 Likes
FWIW this automation works well for me Muting pwned secrets warnings
I’d rather the feature be something I can opt-out of. But at least I can just automatically dissmiss the notification when it appears.
I don’t want to just “mute” them. I want to eliminate them completely.
1 Like
I’ve updated the thread title to make that distinction more clear as well.
I’m using pi-hole, not adguard. I was able to add the domains ‘haveibeenpwed.com’ and ‘pwnedpasswords.com’ as wildcards so anything sent to a domain that has those as part of the domain are basically tossed.
5 Likes
Ironic to me that HA has a file called secrets.yaml where passwords are stored.
9 Likes
I’m not mad at the feature, but I like a lot of folks use simple passwords for things that aren’t exposed to the internet.
I don’t think they’re doing any of this “trying to promote best practice” nonsense that one guy was talking about, but simply giving us an alert mechanism to let us know we have a potential issue.
What I’m annoyed by is the fact that, from what I’ve seen, I don’t get a specific integration that could be exposed.
I do want to know if there is a potential security risk, but don’t annoy me about internal passwords.
There should be a choice to mute each instance of this individually like an Android app. Let me choose which things I want to be notified about and which I don’t.
Then, it will be an even better tool.
5 Likes
This just sucks… My password has a part that probably some other people will use also, but also a random part. Still I get this warning time after time.
I would need to put a lot of time in getting everything up and running again with MQTT and Zigbee2MQTT. This isn’t done in a couple of minutes with my devices… I’ve +20 of those.
1 Like
Two passwords that only differ on one character will not create the same-ish hash.
You can “test” hashed here: SHA256 - Online Tools
So your random part is probably not as random as you think.
Nagging me about this forces me to revert back to an older version.
How good is that for the projects “reputation”?
Nobody desides how I protect and manage my environment, neither should HA.
5 Likes
I don’t use a simple password. Though it is in haveibeenpowned db. Why? Because Adobe had weak security and my password got snatched. Though that password is complicated enough for people not to get why I would use it. So it’s not so much a discussion about simple passwords. It’s about being in the db. Like anybody is going to do a brute force attack on my HA instance. Which is behind a VPN, on a separate VLAN from all other stuff. Maybe I should block HA from doing that query all together, but should I have to go that far? Or should HA not be so intrusive?
9 Likes
I appreciate this warning; however, I agree with many here that its none of HA’s business. And frankly, HA should have ASKED my permission before sending My Data (encrypted/hashed/whatever) anywhere! I did not authorize this, and I see it as a breach of my privacy!
How do we turn this off or block HA from doing this?
13 Likes
I just want to be clear about something. It appears to me that HIBP searches to see if the password in question has ever been hacked - anywhere. It doesn’t seem to matter what user ID or system that password was associated with.
Is this correct? If so, how is this even helpful? Say someone else in another part of the world used the password “qOCQ0I7iPoZ1EZ34Tz5C” on some operating system I’ve never heard of at a company I’ll never have anything to do with.
What’s so bad about using that same password on some low-value system on my own LAN, with a different user ID and in a completely different context?
7 Likes
Exactly, and to top it off HA stores passwords in plain text (which I totally understand).
So as soon as anyone got in to my HA then my unsafe node red password is irrelevant anyway.
4 Likes
im on a knife edge about abandoning HA all together
between the problem of it constantly locking me out of my amazon account, crashing for no apparent reason, and now this…
75% of my smart stuff has been removed last weekend due to how often it wont work because of HA issues, and i only started with it all 6 months ago
This is a TERRIBLY implemented and half-baked feature.
Yes, weak passwords are bad, and nobody should use them. However, there are times when a particular password is weak for a reason. There are even times when there is a reason to not change a password that is known to be compromised.
More importantly, these notifications are not helpful. For some, it can be clear where and what the offending password is, for others, it’s a complete mystery. I get constant notifications about core_ssh.
As far as I know, there is no core_ssh. There’s HA Core, and there’s the SSH and Terminal addon I have installed, but I have no idea what core_ssh is, where it is, or what password is supposedly pwned. There’s a link to an explanation of what a compromised password is, just in case I’ve been living in a cave since the 90’s, but that’s it.
No direction. No useful links. No action suggestions, just a “hey, you’ve got a mystery password that sucks somewhere. Go find it and try to suck less.”
We need to be able to turn this off, and it needs to be turned off for everyone until it is fully function. In it’s current state, it is much more annoying than helpful.
16 Likes