Same for me, I tried changing the two config passwords and not only did I still get the password complaints, but it broke all my flows using Pushover by loosing the api keys.
It even gave mqtt failure to connect messages.
I ended up restoring an older snapshot.
Can anybody help with getting node red to work after these password nags?
No, supervisor uses: api.pwnedpasswords.com
Can we stop all the Seatbelt analogies? it’s doesn’t apply to this. We should be comparing to other mature It solutions. Samba has been around forever, the risks are inherit in the service itself. There are hardening options available and applied by default when you install the add-on, like the trusted networks. If my internal LAN is compromised and I left samba running, and I used a weak password, and I didn’t have my local instance running HTTPS so that the username could be sniffed, and I don’t have 2FA on my HA instance to protect ingress, and I used that same password for other services, and on and on. Yeah many of us do this, but aren’t we accepting liability for our own actions when setting this stuff up?
I’m here because I’m being nagged about MQTT password being weak. It’s a local only account, a local only service and, for me at least, nothing secure runs on it. Just lights and some other status info. If I had the option to run the service with no password, I would. MQTT reminds me of SNMP, and maybe the devs should be comparing to services like those instead.
8 Likes
Yeah, I hate when an analogy doesn’t seem to click.
11 Likes
perfect
2 Likes
/takes a bow 
2 Likes
None of the password managers reveals where the password is used.
Here you can find the pattern on GitHub.
Comment from the peanut gallery:
The only truly effective IT security between your environment and the Internet has to be at the single port (pun intended) of entry… your router/firewall. Managing security from multiple points will doom you to leaks… so stop trying to secure your place with application based software.
Now if you’re concerned with security issues within your LAN/Organization/Family… you’ve got other issues that cannot be dealt with via software and really shouldn’t be discussed in public. 
There are no such thing as internal or external, only layers of security 
Getting a simple foothold, and being able to move easily between systems is always nice with bad passwords, then you don’t have a footprint on the systems that are ‘important’ until the killshot is done.
Uh, of course I know nothing about such things, so ignore my input…
1 Like
Feature request put in place for making this an option:
Opt~out/in Password check to third party?
If you prefer it as optional, pls vote.
9 Likes
imho, it’s silly we must enter long discussions or vote to make things be done right.
but I did vote anyway.
8 Likes
This is the reason why i signed up for this comunity.
The question was how to get rid of this warning, not what about your hopes for HA (Home Assistant).
If poeple are using HA it is most likely for the flexibility of the product. So if anyone asks for restrictions, he is promoting any closed solution. And how well this worked in terms of ‘security’ we have seen so many times. So please ‘inform’ about the situation once, but let me decide what to setup and how.
10 Likes
Thanks a whole bunch for this… I always find it difficult to figure out the relevant trigger object. You are a gentleman and a scholar.
1 Like
Quite sure.
I have Terminal & SSH installed. I do not have SSH & Web Terminal installed.
More to the point, the ‘warning’ message says core_ssh, which doesn’t appear to be either of those, and is not a clear message.
That’s the real heart of my complaint. The notification isn’t useful because it doesn’t contain enough information to be actionable by the average end user.
For now, I’ve set up the previously recommended automation that clears these worse-than-useless notifications as they come in, but that is a totally unacceptable solution as anything other than a bandaid.
3 Likes
Regarding the seat belt analogy. There is a hidden option to disable the tones on Subarus. Even on US models. I believe other cars have this in EU/CAN as well. I know for certain Audi does.
I would love to see an option to disable this HIBP check.
Check the names again. You are now claiming to have the one from the core repo, and not the one you mentioned at first. This is why I shared the screenshot. There are two and they have similar names but are not the same. One is from the core repo, and the other is from the community repo. The one from the community repo has many extra features.
All the add-ons from the core repository are prefixed with core-
If you are running Terminal & SSH, you are running core ssh. The add-on slug names are visible in your url address bar:
1 Like
Interesting. I changed my password in that app to one I had never used before, and when the messages kept popping up, I assumed that was not the problem. I guess I must not have clicked Save.
Thank you for the assistance.
That said, this is still a terribly implemented feature that (lightly) violates our privacy without our permission, and provides feedback that is incomplete, making it difficult to act on.
2 Likes
What are you talking about? What data? (irt to my homeassistant).
I don’t want hassio send my passwords, my password hashes or part of them to anybody!
If someone will expoit pwnedpasswords.com they will know that at my IP adderres have wake password associated. Not so cyber safe!
2 Likes
Most likely they do not have your IP.
And even if they do then they only have five characters of the hash of your password.
Not even close to be enough.
And they don’t have your username, so yet again, not enough.
Even with your username, IP and the hash of your password then it would still be “impossible”.
A hash can’t be reversed, and brute forcing a hash is calculated to take far to long to be realist method for hacking.
If I had your IP, and username then I would probably first try a “social attack” meaning you learn from social media and other online activity what the person’s password could be.
Chances are that a person who is in to sailing or football would have a password on topic of sailing or football.
And that is a very good way to hack someone. It is very likely that you succeed using that method.
So if you want a good password then don’t bother with if the password had been used by someone else, make sure it’s unrelated to you.
If you like football then have “competitiveswimming” as your password.
It’s long, it’s unrelated. You could add number, say 1905 which is also unrelated to you in the middle of one of the words “comp1etiti9veswim0min5g”.
To add to everything, if you use Nabu casa then the port will be blocked in your router meaning they can’t get in there either.
The request will be from your IP, but to get to your IP you need to got to blablabla.nabu.casa.
1 Like