Pwned secrets - finding the offender

I have a quite a few passwords in my secrets file. All the passwords were created by lastpass and are unique to each integration/service.

  1. Does HA hash and submit every item in the file or just those that indicate that they are passwords.?
    a) If every item is submitted and say my email address has popped up in pwned then I won’t be changing my email address, how do I get HA to ignore previously reported concerns but continue to check for new issues?
    b) If only passwords are submitted then the implication is that one or more service/integration is compromised. If so all HA users should surely be made aware?

What is the best way to find which in my list is the offender without pasting each one into pwned web page !

It doesn’t check your secrets file at all currently, just the credentials in your Supervisor add-ons configuration. So stuff like Samba, SSH, MariaDB, etc. The notification title will tell you exactly which add-on has the insecure password.

You can see all your add-ons at Configuration -> Supervisor

Open your Home Assistant instance and show your Supervisor dashboard.

On the add-on details page there will be a “Configuration” tab where you can update the password.


Well that wasn’t obvious to me, but is now, thanks.

1 Like