Pwned password in Node RED addon

You can change credential_secret:

Restart the add-on and when you open the ui you will see a prompt:
image

When you next hit deploy your node-red instance will use the new secret.
Any nodes which require credentials to be added will need to be reconfigured.

6 Likes

The add-on is the Node RED add-on in the supervisor, if you open up the supervisor on your console, select Node RED and go to the Configuration tab you will see an item in the configuration called credential_secret where you specified a password during setup, it is this that is insecure and has been found in the Have I Been Pwned database.

2 Likes

Thanks. This suggests that Node RED will clear existing flow credentials which also suggests to me that something will need to be re-entered, is that the case?

I’m guessing if there are outside credentials, those may need to be re-entered. The connection for node-red to homeassistant is not affected. I don’t use node-red much. I can try a flow which uses mqtt or something else.

I don’t have an instance to test it on so if you could that would be great, I have all of my automations in Node RED and I really don’t want to break them :slight_smile:

If it just means re-entering my Mosquitto password in one configuration node then I can live with that.

Ok, I used the email node and configured that, deployed it and tested it.

I then changed the secret, restarted node-red, and can confirm that the credentials I had entered were missing after dismissing the warning. Other details about the node, smtp server etc, remained. Only the user/pass was cleared.

[edit] I added a note about that above

1 Like

That’s really helpful, thank you. It looks like it will just be the Mosquitto password that I need to update.

Great, changed credential secret got the prompt re-deployed and… now I have non working Node Red. I have a ton of stuff in there using MQTT, Pushbullet etc etc and everything says disconnected. I get the MQTT data in Home Assistant so what is now broken between HA and Node Red? There is nothing in Home Assistant or on the computer I run it on that is “sensitive” and having to jump through all these hoops and breaking my setup is worth keeping someone from seeing the temperature of my fish tank or status of my sprinklers. Christ.
I see now that I have to go into each node in Node Red and setup a new server connection to HA.

Ouch! I didn’t make the change on my system last night as it was about 10 p.m. here and I never make big changes at that time of day as I value my sleep!

Checking in my Configuration Nodes in Node RED I have 664 nodes using the connection to HA so I’m definitely going to hold off until I see if there is a better way to do this.

1 Like

So I span up a test VM this afternoon and created a limited test version of my HA instance. I set it up as follows:

Home Assistant OS 5.12
Home Assistant Core 2021.3.2
Node Red add-on from Add-on store
Mosquitto add-on from Add-on store
HACS
Node Red Integration installed via HACS

My connection from HA to Node Red is configured as follows:

I changed the credential_secret in the Node Red add-on Configuration tab and restarted the add-on.

I then opened the Node Red console and got this message:

image

At this point all of my HA nodes were still working but the MQTT nodes had disconnected.

I opened the mqtt-broker node and re-entered the user name and password for Mosquitto and then hit the update button.

Once I had done that everything was back to normal.

I think that the Home Assistant nodes were unaffected by the credential_secret change because they do not have credentials stored in the Node Red config due to the way that the add on is built (see 1st screenshot above).

I can’t guarantee that anyone else’s experience will be the same but hopefully this will help someone with a similar config.

edit: typos

Are you not using the node-red addon? The connection between node-red and HA should be fine if “I use the node-red addon” is checked, which is the default.

The issue with mqtt and pushbullet etc line up with what I described above.

I had to go into each of the Node Red nodes that connected to HA and set a new server connection. Everything is back up and working and no more pwned nags. Was a chore but done.

The Insecure secrets message was seriously unhelpful.

Thank you for your post… I changed my credential_secret, redeployed, all is well!

If the credential password is changed but still visible will it not throw an error again before too long?

Until there is a clear way to fix this without re-entering all passwords, I use this very stupid automation as a way to get rid of the notification:

You can find the notification ID at Developer Options -> States.

Thankyou, this really helped me :smiley:

This is not about it being visible. Nothing to do with secrets.yaml.

I’ve been getting the notification for the last week or 2. I first tried blacklisting the haveIbeenpwnd site that I found in a different thread on my pihole server. However i continued to get the notification.

I then bit the bullet and changed the credential secret in the addon. I also checked the new (really long) password on the have I been pwnd website and it gave it the all clear. Reconfigured nodered (and the mqtt connection) and all was good.

However a few moments later I still get the notifications!

I tried restarting the addon and also HA - But still the notifications keep coming. Any ideas why?

To anyone interested, the password check can now be disabled with the command below in the CLI using the latest versions of either the core-ssh add-on or the community ssh add-on:

Terminal & SSH (core) version 9.1.0
SSH & Web Terminal (community) version 8.0.4

ha resolution check options --enabled=false addon_pwned

reboot the host after this so that it will take: ha ho reboot

4 Likes