Opt-out of pwned secrets warnings

Yep, put it on by default, let us turn it off if we see fit - just like protected mode for supervisor.

edit: hell, I’d settle for a warning anytime I saved a file with the password in it, not every fricking hour - wasted cpu, bandwidth, and patience.

1 Like

No but times change and people make mistakes. It’s all about prioritizing. With the integrations that got compromised, it’s a pretty logical move from the devs. Doing nothing would also end up in a discussion. There are always at least 2 camps.

[edit]
Spelling

Yes they do… What do you think that noise is in the car when you don’t have a seatbelt on and the seat senses weight?

I think you misunderstand me. The feature is there from the start. This feels like I was sold a car without a seatbelt fitted and now I’m getting the nagging beeping alert a year later… And the car only ever travels 2 mph on private property!!!

3 Likes

I think user have to be asked before their passwords are checked against pwned database. even if it is only a hashed version.
every password manager is asking before doing it.

4 Likes

I have pretty new cars and there is way to turn off the seat-belt chime. I had them turned off in both of them.I still use the seat belt 100% of the time, but I do not need the reminder.

to add, it is not trivial and there is no button on the dashboard to turn off the seat-belt chime, but I would venture to say that can be done in all cars.

I have no opinion on the HA functionality in question. Was just here to point out the flaw in the seatbelt analogy, I’ll see my way out.

1 Like

I get your point, but the seatbelt example is not the same situation.

It’s more like, when you buy a car and the seller says: “Go ahead, it’s all yours now.”
You get in the car and drive for a year or so. Then rules change and the government thinks there are to many accidents and because they can’t check the driving skills of every user, they make a rule for everybody.

Wear a seatbelt.

Not because it has to be your fault when getting in an accident, but other people are on the same road.

In this case, integrations had the power to grab your stuff, send it over internet and you didn’t even notice. I’m talking about the people whos HA instance passwords got comprimised.

It should be an option for power users. Then that being said, everybody can install an image to an USB drive and spin up an instance. So people are getting lazier with setups.

I assume some people just spin up an instance, setting it up. Then forget all about the setup part afterwards because it’s a while back. I think people don’t like to change their stuff, because maybe something in their config will break.

“No one wants my passwords, I’m a nobody”… …untill sh#t happens
Where are you going to complain about it then?

Right, the Home-Assistant forums, Reddit etc. Blaming that the devs didn’t take any action when the leaks happend a while back.

These are all my opinions, not trying to flame anyone.

I understand both camps.

2 Likes

worked like a charm, many thanks!

I agree for what it’s worth, and I think the seatbelt analogy has probably gone beyond useful now!
I don’t think many here have issue with the concept per se, but the implementation has been a bit of a disaster. Nobody likes a notification that you can’t mute that pops up every hour.

Is this part of supervisor or core?

If it’s the latter… I may delay updating.

Supervisor

I’m about finished writing an addon to check supervisor/resolution/check.py to see if the module is loaded, patch it out, then send you just one notification that you need to restart.

I’m on holiday, and the internet here is really a sore point lol

Edit: as the thread is locked, I’ll tack it on here so ya’ll can find it https://github.com/freman/hass-nopwned is available as an addon now, please be aware this is very much at your own risk, but it works for me. I wouldn’t release it if I wasn’t using it :smiley:

4 Likes

I’m wondering if this might be a violation of the EU privacy laws? I’m not in the EU and don’t know a lot about them, but from news reports and other stories I read, it seems companies have gotten in trouble for less than this.

Maybe an users in the EU might be able to share some info about it.

6 Likes

As far as I know the law is, in short, you are not allowed to have two data points of the same person at the same place.
Such as name and phone number.

In this case you only send one partial information.
I doubt it would be an issue, especially since Google has a similar thing.
Perhaps implemented differently though

I’m far from a GDPR / AVG specialist, but it does not seem a violation of the GDPR. And since Home Assistant is an Open Source project, not a company, you could not even file a complaint about HA violating the GDPR. Nabu Casa is a company, but since they are only responsible for the HA Cloud, filing a complaint for violating the GDPR against Nabu Casa would not work either.

There are two ssh add-ons. One in the core repository and one in the community repository which has more features. Are you sure you don’t have both?

For some reason I don’t get this warning about my MQTT anymore… Have they disabled it or is my password suddenly (like I think from the start) ok enough…

Although I do not think this is a violation either (but then again IANAL and they are transferring something that could be classified as personally identifiable information, a partial hashed password, without consent or opt-in / opt-out), it can certainly be enforced against open source projects just as well as against companies. It would be enforced against the maintainers and possibly against the developer of the code that is in violation.

Don’t know. Is the TV turning on by itself ? :rofl:

1 Like