hi - how do integrations securely use and store login credentials? for example, ring mqtt integration or the opower (utility company integration).
Does it vary by integration? Or is there some HA requirement that forces a single secure storage practice/process?
In general, how secure is is captured, stored and used? Is there a risk of p/w being hacked or leaked?
Secure storage does not really make that much sense here.
It is there to secure offline systems and HA is meant to be online 24/7
In general a setup is no more secure than the weakest part and HA is an open system where anyone can make integrations.
The core integrations are pretty well surveyed, both internally by the HA core team and by external security reviews, but the third party integrations are rarely more than occasionally peer reviewed.
It is up to the user to judge if they think an integration is secure or not.
I my view there are bigger issues.
First the manufacturers/vendors of the devices that require integrations are often not that secure and there are several stories about Ring products sharing information with the companies behind as the main culprit.
Secondly HA is not a security product and it will at times put convenience over security, but many still opens up directly from the internet to the HA installation.
Thirdly many users have their firewalls at home set to allow all outbound traffic to the internet, which is again a convenience thing, but is also the something that lowers the security.