Of course they have your IP. You connected to them (well, the HA Supervisor did).
Of all your passwords. That’s already a lot. They can use this information to run a dictionary attack on your system without even connecting to it. If they wanted they could have entire botnets running dictionary attacks on all of your passwords 24/7 without you ever knowing about it. Passwords that don’t match can easily be weeded out using the partial hash. They’ll be left with a small subset of candidates they would have to actually try against you in an active way.
The fact that we are still discussing this issue is absurd. This ‘feature’ is a subversion of what HA stands for. It is a violation of the users privacy. At this point I would fully expect a developer to come forward and say, OK guys we messed up with that one, we added a consent dialog with opt-in / opt-out checkbox on the next release. And the issue could be closed.
You are just guessing.
There is no fact that there is an database with your IP and the characters you sent to them.
I call bullshit, prove to me that exists and we can discuss it further.
You can’t build a dictionary of an incomplete hash.
It doesn’t work that way.
The first characters of the hash does not relate to the first characters of your password.
It’s not like anyone can make out that your password starts with…
Try out different hashes and you will see that they do not relate to each other.
No… but you can find all known passwords in dictionaries by partial match of hashes. You can also try generating the passwords and then hashing them before trying against your system. it minimizes number of failed attempts.
No offense but It’s you who are still making assumptions showing lack of knowledge in this area.
BTW AFAIK SHA1 is considered non-secure for about ten years now… Another “good” decision.
I’m not guessing, that’s how the internet works… If you connect to a site, they have your IP. Look up how TCP/IP works…
That’s not what I was saying. Reread my post. A hash (even a partial one) is a validator for a password. It will tell you with 100% certainty if a specific string (either through brute force or through a dictionary) cannot be your password. It can be used to rule out vast amounts of attempts without needing a connection to your system.
So basically, should that third party site ever go rogue, then this shiny new HA security feature will make attacks on your system easier - regardless of how good your password is.
Hi!
1st: If my Hassio is sending the request they will have my IP address. It can be “static” enough to use it. Also if the site is not storing it (I hope) in some logs it’s possible to find it (if the site has been hacked it is much more possible). A simple port scan and they will find the hassio port. Of course username is needed but people doesn’t use so complex ones.
2nd: If they send only 5 char of a SHA256 hash the number of collision is extramely high, so my super safe password can hashs like a stupid “1234” looking only at first 5 chars. This means the check is totally unusefull
3rd: If they use more than 5 chars and they are sure my pwd is compromised they should have (or easy to find) a raimbow table with my clear password.
Said all this, why this feature cannot be turned off? Seems a lot of people are not so happy to have enabled it by default
Well, a lot of people have dynamic IPs without external NAT (just a NAT to their local LAN IP range at the router) and use a poor man DNS server like Duck DNS or similar. But even if your IP changes at regular intervals, the fingerprint you leave with the partial hashed passwords, and that HA conveniently updates every hour, will allow any attacker to find your changed IP by matching the implicit GUID the hashes create. If your secret only contain 5 passwords (and most people probably have more), that’s a unique 200 bit UID that can be used to identify you and track any IP change that might happen at any time.
You haven’t read how it works.
All the collisions are sent to your HA and HA looks if the exact hash is in the list.
The partial match is done externally, the exact match is done locally.
If you have the port open yes.
I don’t have any ports open. It’s not needed with Nabu casa.
Even if you have a very simple username then given a list of IP and five random characters, how can the username be simple to guess?
Maybe I’m missing something obvious? Please enlighten me then.
But that still does not mean it’s logged and saved.
I would be very surprised if they did log any of that since it violates GDPR law, and would make you a target for an attack. (Yes that is a guess, I have no shame in admitting that)
Again show the list where your IP and your five characters are.
If you can’t then it’s just guessing.
And that, is a fact.
You don’t get it, do you ? All this above is under the assumption that the pwned site gets compromised or controlled by a new owner with shady intentions. And considering the amount of compromised and backdoored sites these days, that wouldn’t be very far fetched. And if it does, you can bet that IPs will be logged and stored…
You are right, I didn’t read how it works. Now it sounds more reasonable.
But is I use 123 as internal samba password from my PC and hassio why have I to care? It would be useful only with user passwords.
About Nabucasa, i prefer to manage my system by myself, without cloud providers. And it has a crazy price IMHO. I pay 0.99/month for a cloud linux VPS, 5$ for just an access it’s too much.
Whether or not it’s a good idea to occasionally check one’s passwords against HIBP, it’s most certainly NOT a good idea to force all HA users to run this check hourly against all their stored passwords, or send hourly nagging notifications. It’s a waste of resources, fills up the logs and creates aggravation for the administrator (us.)
And even if it were a generally good thing, it’s not in the spirit of HA to force a one-size-fits all solution on everyone.
All we ask is a chance to opt out. If you don’t want to opt out, that’s great. Welcome to HA, where you can configure things to suit your own needs.
Wow, everyone needs to relax. Arguing with each other solves nothing. A good chunk of these posts are walking the COC line. Everyone, go vote for the feature request and take some time to cool off.
This is irritating as hell. And it is not the least bit helpful if it can’t show me the password that was in the pwned database. Am I supposed to go and change every single ‘secret’ which includes I imagine simple usernames used anywhere in Home Assistant?? My username for my MQTT broker is Mikey. I just made that up on the fly and my name is not Michael. But if ‘Mikey’ is in the pwned database as a terrible password, then fine, kind of. But it is not a password. And it doesn’t need to be protected by the HA Nanny. At the very very least this needs to be able to be turned off. But the whole thing should be scrapped as it is just a terrible idea, even if it were to be implemented well, which it was not.
I must agree! This is my setup, my data, my server, my risk. If I want to take that risk it is me that must be able to opt-out.
Have you seen “what you must do to make node red safe”? Howly mowly, that is an awfull lot of work and risk on troubles. And why bother if my samba share is protected by a simple user and pass… I run it in a dmz with only access from 1 single pc on smb.
Please make this undone! Or at least opt out or a kill switch for the warning. Or a good manual on what to do per addon that a message is sent for…
Hey, as promised way way back 3 days ago (I would have posted it yesterday but ya’ll got the thread locked), I’m finally back from the land of limited internet and knocked this addon up last night.
It’s very much an at your own risk solution but it’s working for me. Hopefully the devs will give us the opt out option, or at the very least not intentionally break the addon.
