What means "Insecure secrets in ..."?

janbenes · March 4, 2021, 4:53pm

Hello, there is mixed explanation about this. In notifications, the explanation is “The add-on … uses secrets which are detected as not secure”. However, the link in notification points to page that says “it means that you are using secrets in your configuration which have been leaked and are publicly known”. That is different. First explanation can mean that I use plaintext passwords in config files, which is on purpose and I do not intend to change it. Second explanation is that these passwords leaked to internet, which I do not believe, because I use HASSIO, which is pretty closed system, and login with password.

What is correct? Does it really mean that passwords leaked? I really do not want to go through all my mqtt sensors and reconfigure accesses.

It seems to me that the check is only if exactly same password already exists in list of leaked passwords, without any relation to my installation. In that case, I do not care.

Can I disable that notification somehow?

tom_l · March 4, 2021, 5:01pm

You are using passwords that are known to exist in hacker password lookup dictionaries.

You should change them.

jens55 · March 4, 2021, 5:44pm

I received that warning for my nodered add-on but wasn’t even aware that this add-on used secrets. Where in that add-on would I find the secrets to change ?

Hellis81 · March 4, 2021, 5:46pm

As far as I have read from the other threads, you don not want to change the node red password.

NK553 · March 4, 2021, 5:46pm

It’s the credential found in the addon config, and you can’t change it or node-red won’t be able to decrypt your credentials…@frenck any ideas?

Short of reinstalling the addon with a new credential and exporting/importing your flows, I don’t know a solution to this…

123 · March 4, 2021, 6:12pm

The message gives the impression that the secrets from one’s configuration have been leaked. My first thought was “I’ve been breached and my secrets.yaml file has been accessed and its contents are now publicly known?”

After that initial erroneous conclusion, I realized it simply used awkward language to say I was using a password that was known to exist in a database of stolen/hacked/pwned/known passwords. In other words, my password was not particularly unique therefore insecure; I should change the password to something better.

Hellis81 · March 4, 2021, 6:18pm

Yes… password.
But that doesn’t mean your username is known.
Password alone is not enough to hack someone.

123 · March 4, 2021, 6:25pm

As far as I know, the Supervisor only tests the password. After I had changed the password for the Samba Add-on, the warning message was not repeated.

I understand you need both username and password to login but, in the interests of improving security, the developers only had the means of testing the password (and so they did). Personally, I would prefer to disable this feature and I have (by blocking access to api.pwnedpasswords.com).

jens55 · March 4, 2021, 6:25pm

If I can interpret the responses, it sounds like this ‘new feature’ wasn’t fully thought out and I can expect to have the error go away magically with another upgrade in the future.
Looks like I will just have to put up with it for now … not a big deal.

Thanks

stevemann · March 4, 2021, 6:31pm

I just got this as well. Its a feature in core-2021.2.3. Read the “My oh my” thread, scan down to “Not enough? You want more? Okay then!”.

Yes, the description could be better worded, but I was sure nothing had been leaked because my Home Assistant is not on the web.

I fixed it in my Samba add-on using information found in a search of this forum. Put the !secret line in quotes:

sambapass

woody4165 · March 4, 2021, 7:16pm

I’m getting same notification in a custom addon that have 2 passwords, one is the mosquitto one (that does not get the Insecure password notification) and another one.

I’ve tested those two passwords on the website https://haveibeenpwned.com/ and they are both secure.

So, why am I receiving this notification?

123 · March 4, 2021, 7:18pm

Supervisor performs the test using a different resource: api.pwnedpasswords.com

stevemann · March 4, 2021, 7:22pm

Whoops- spoke too soon.
Added password: '!secret sambaPass' to the Samba config and am still getting the warning.

woody4165 · March 4, 2021, 7:24pm

Thanks @123

Is there a way to stop these notifications?

In the addon configuration, the passwords are set without !secret
Can I use !secret in the addon and avoid the notification?

woody4165 · March 4, 2021, 7:43pm

I’ve installed pwnedpasswords from here https://pypi.org/project/pwnedpasswords/ in a test container and both of my passwords give as result 0, so they are not found in their databases.

Really strange, so, that I get the notification…

stevemann · March 4, 2021, 7:45pm

Update.
Using !secrets does not stop the warnings.
Changing the password to something more secure did.

woody4165 · March 4, 2021, 7:49pm

I’ve got it.

in the addon Paradox Alarm, there is a password that is set to four numbers (only four and only numbers) and probably this is the cause.

So there is no way to change it to something more secure.

What can be done in this case?

LOGGING_LEVEL_CONSOLE: 20
LOGGING_LEVEL_FILE: 40
CONNECTION_TYPE: Serial
SERIAL_PORT: /dev/ttyUSB0
SERIAL_BAUD: 9600
IP_CONNECTION_HOST: 127.0.0.1
IP_CONNECTION_PORT: 10000
IP_CONNECTION_PASSWORD: paradox
KEEP_ALIVE_INTERVAL: 10
LIMITS:
  zone: auto
  user: 1-10
  door: ''
  pgm: 1-5
  partition: auto
  module: ''
  repeater: ''
  keypad: ''
  key-switch: ''
SYNC_TIME: true
SYNC_TIME_MIN_DRIFT: 120
PASSWORD: '0000'
MQTT_ENABLE: true
MQTT_HOST: core-mosquitto
MQTT_PORT: 1883
MQTT_KEEPALIVE: 60
MQTT_USERNAME: pai
MQTT_PASSWORD: my_very_secure_password
MQTT_HOMEASSISTANT_AUTODISCOVERY_ENABLE: true
COMMAND_ALIAS:
  arm: partition all arm
  disarm: partition all disarm
MQTT_COMMAND_ALIAS:
  armed_home: arm_stay
  armed_night: arm_sleep
  armed_away: arm
  disarmed: disarm
HOMEASSISTANT_NOTIFICATIONS_EVENT_FILTERS:
  - 'live,alarm,-restore'
  - 'live,trouble,-clock'
  - 'live,tamper'
PUSHBULLET_CONTACTS: []
PUSHBULLET_EVENT_FILTERS:
  - 'live,alarm,-restore'
  - 'live,trouble,-clock'
  - 'live,tamper'
PUSHOVER_EVENT_FILTERS:
  - 'live,alarm,-restore'
  - 'live,trouble,-clock'
  - 'live,tamper'
SIGNAL_CONTACTS: []
SIGNAL_EVENT_FILTERS:
  - 'live,alarm,-restore'
  - 'live,trouble,-clock'
  - 'live,tamper'
GSM_CONTACTS: []
GSM_EVENT_FILTERS:
  - 'live,alarm,-restore'
  - 'live,trouble,-clock'
  - 'live,tamper'
IP_INTERFACE_ENABLE: false
IP_INTERFACE_PASSWORD: paradox
DUMMY_EVENT_FILTERS: []

lexathon · March 4, 2021, 7:53pm

You can use the helpful post on the other thread to automatically dismiss the notification for now…

https://community.home-assistant.io/t/opt-out-of-pwned-secrets-warnings/286394/24

janbenes · March 4, 2021, 9:49pm

Exactly. I agree to change password for root SSH, because username is known there. However, for other cases where username is used I will not change the password and I would like to get rid off the notification. How can I disable it?

123 · March 4, 2021, 10:45pm

What I did (and I mentioned it in a previous post in this thread) is block access to api.pwnedpasswords.com. That prevents it from performing the test. The failure is recorded in Supervisor’s log but that’s acceptable to me.

An alternative is to create an automation that immediately deletes the persistent notification produced by the password test. There are examples posted elsewhere.