Password is correct but UI saying Invalid login or Password

This is absolutely inexcusable. I am trying to log in from a new device to the UI but I keep getting “Invalid username or password”.

I am 1000% sure my username and password is correct.
I looked in the auth file in the config and I can see that my username is the same as my name.
On one device that I am still logged in, I can go and change the password to a new password so I know for sure that the password is correct.

Still, for the life of me I cannot log in.

Please please please someone give me some hints. This is beyond frustrating.

Maybe some “fail2ban” add-on triggered on your new device?

Thanks for the suggestion. I don’t have this add-on.
My configuration.yaml is very short.

I also just tried to log in using an incognito session from the same laptop I’m still logged in and I’m still getting a login error.

Next I tried from my phone, same result.
Tried from the companion app, same result.

Look in your logs for errors. You can access them via samba or ssh. Or in your working version, go to the logs.

For every failed attempt, you should also get a persistent_notification in your working version as a failed login.

Thanks petro, this is what I see in the logs when attempting to log in with my username: WorkHard

2021-01-18 09:40:41 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from ( 
(Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36)

This is what I get from my mobile:

2021-01-18 09:32:53 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from ( 
(Mozilla/5.0 (iPhone; CPU iPhone OS 14_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Mobile/15E148 Safari/604.1)

From the Nabu Casa remote UI:

2021-01-18 09:58:40 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost ( (Mozilla/5.0 
(Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15)

It does appear indeed like something is banning all ip but can’t understand why.
I don’t have ip_ban_enabled or an ip_bans.yaml in my config folder.

That’s not adding bans, that’s just saying that there was a log in attempt. Are you sure you have the correct password?

Yes, I’m not the only person that this happened to. I can see multiple people that had this issue but none of the solutions I tried worked for me.

I wrote the password in my notes. I also have that same password in my icloud keychain.
And as I said, I still have an active session and I am able to enter my existing password and change it to a new one confirming that my password is correct.

In the Lovelace UI> click my name at the bottom> enter current password>enter new password> save.
In the lovelace UI>Configuration>People>click my username>Change Password. Here I am not even asked my existing password and I can successfully change it to a new one.

Neither the new password or the old password work.

I also have another username created since the beginning (my SO). That user can also not log in with their password. There’s no way the password is incorrect for the both of us.

What is [homeassistant.components.http.ban]? Or is that the default method that is called http.ban regardless if it’s an actual ban or an incorrect password?

It’s just the section of code that’s outputting the warning, it doesn’t mean that you’re using ip_ban. All failed requests go through that.

I’m not sure how else I can help. If your config is bare and you’re using the correct password, then it’s out of my realm of expertise.

Browser settings, clear cache + cookies (since the last time you were able to log in)

Do a refresh of the login page (Ctrl-F5 on most browsers)

Logout of lovelace front end and use F12 (usually works in Chrome) to trace the login network traffic (maybe too advanced for you but it’s worth mentioning)

Did all of that plus tried from a laptop that I never accessed HA before. Same thing.

Here’s what I see when I do a trace:

Could not load content for webpack://home-assistant-frontend/authorize.e8f4733c.js (HTTP error: status code 404, net::ERR_UNKNOWN_URL_SCHEME)

Could not load content for webpack://home-assistant-frontend/chunk.7eff1f35097a04767aa5.js (HTTP error: status code 404, net::ERR_UNKNOWN_URL_SCHEME)

Perhaps something happened when I activated the Nabu Kasa subscription the other day?

How can I truly reset the password if I still have access to the UI? The regular way to reset the password clearly doesn’t do anything.

That looks like a redirect browser error or somehow the browser believes you are entering a redirect url. You’re not running a reverse proxy or have something in the stack you have not declared to us??

Anyway I would try both these in order given , please do not skip or assume it will not fix, try them !..

  • try another browser to duplicate / repeat the error? working now?
    if not
  • clear cache and cookies (all time) in browser then delete your account on local HA server. delete your account on the HA cloud service. recreate both accounts

I did try that.
Have not deleted my accounts as I’m afraid I’ll be locked out completely.

My setup is very vanilla.

I went ahead and created a new *third account by going to People>Add Person.
And after adding it, the person doesn’t show up in the person list but I can log in with the new person.
Restarted HA and still do not see the person in the list but I can log in with the account.

This is bonkers.

If you do not try what we suggest then we cannot help you can we. I do not want to provide help if you are not going to try the suggestions - it would be pointless. I will have one more attempt: always execute all of the suggestions submitted by members trying to help you. If you can create a user and log in then the HA authentication is not the issue - is it.

Also, I see you posted then deleted it. I read it on my phone before you deleted it - that had some useful info in it!!! You appear to not be using https:// as the url protocol so I take it your HA server connection is/was always “insecure” in so far as your network LAN config goes. But that’s ok, provided it cannot be accessed from the WAN (port forwarding etc). I wonder whether your install is ok. I assume you did read this and all links therein - all of them

If you cannot see users then that is strange and I have never come across that before.
Also, I concur with @petro - check all log files as it does appear to my mind, that you are not using the correct username/password with case sensitive characters so check your logs for activity and if the logs do not show much detail then you’re probably not looking (yet) at the correct logfile.

I have had something similar and from my recollection it was due to my old password being in the pwned register.

Trying changing the existing password by adding some special characters and numbers at the beginning and/or end.

If this works then it’s certainly the pwned issue that I had.

Oh and make sure that your instance is not public facing and using http when doing any changes :slightly_smiling_face:

What do you mean by that? the pwned global www register? If so it has got nothing to do with HA auth - well unless one is using the haveibeenpwned integration which also requires a key so I would presume he knows about that if he’s using it , but that does not seem to be the issue here or if it is he has led us down the path a bit :laughing:

@ninjaef @petro and others, thanks for you help.

For closure:
I suspect that I’m a dummy :). I can’t confirm, but I believe in the .storage folder I was looking at the auth file instead of auth_provider. The auth shows an ID and a name for each user but that’s not the username. The true username is in the auth_provider file and that file only.

I am almost certain that the username was wrong this whole time not the password. Which is very strange but so be it.

I ended up creating 2 new users first, I verified that I can log in with the new users and then removed the old 2 users. I then went through all the files in the .storage and carefully removed any reference of the old usernames which made me realize the username fiasco.

Thanks for the https suggestion. I use Nabu Casa to remote in (and to support the team) so I’ll worry about securing my local instance once I have a house and locks added. I’m in an apartment now so don’t care about that.

I discovered a weird glitch that I hope gets fixed/improved:

  1. When creating a person and checking the box “Allow person to login”. - another window (Add User) will pop up that asks you to input the username/name/password.
  2. After clicking Create, you are sent back to the screen (Add Person) that again asks you to enter a name (for that same person you just created a user for).

This is very confusing and that’s were I messed up. I clicked cancel on this second window which created a user but did not create a person.
Why is that done in two steps if you are already asking a “Name” in the “Add User” window. It’s redundant and confusing.

1 Like

No, you are most certainly not a dummy. What you are is someone who has managed to diagnose a fairly complex system , and drill down into possible root-case, then by a targeted test you confirmed your diagnosis. To me, that seems rather intelligent :slight_smile:

Glad it’s sorted.- but in defence, I did suggest creating a new user and deleting the old one, very early on.

On the “allow person to login” - I haven’t used that for years so I will try it later and observe the behavour.

1 Like

Well, you stumbled upon the merging of people and users. Back in the day, they were separate. Over time, they unified into 1 configuration. I’d guess this is why you ran into problems. I haven’t gone through the process in some time. But I’d wager that because they were separate in the past, they are semi separate now… but not.

I have the same issue as OP for many versions of HA. I will try the solution he suggested. I think this issue is a lot more common than some might think though - because you can just dismiss the errors, a lot of people ‘put up’ with it. But then when real issues pop into notifications they’re harder to see. It’s such a frustrating issue with such a convoluted origin, if it is as widespread as I suspect, perhaps an ‘auto fix’ in an upcoming release would be greatly appreciated by the community?

Just confirming i’ve done a brand new (first ever HA user) install on a Pi4, everything was fine following the instructions, SD card creation, got the webpage up and created the user with name admin, username admin, and relatively easy password.
Everything looked great, playing around with the web interface and playing with devices,
I then installed the Android app to try and test that out, it kept saying invalid username/password (even though 100% correct)
So i went into the user properties and changed the password successfully to just the word password from the slightly more complicated but simple previous password.
Still the android app said invalid username/password when it was 100% correct again.
I then logged out of the Windows web browser session and started that up again
Guess what, now that says invalid username/password as well, so I have no way to login to the brand new created HA install.
Brilliant security design guys.