What means "Insecure secrets in ..."?

woody4165 · March 4, 2021, 7:16pm

I’m getting same notification in a custom addon that have 2 passwords, one is the mosquitto one (that does not get the Insecure password notification) and another one.

I’ve tested those two passwords on the website https://haveibeenpwned.com/ and they are both secure.

So, why am I receiving this notification?

123 · March 4, 2021, 7:18pm

Supervisor performs the test using a different resource: api.pwnedpasswords.com

stevemann · March 4, 2021, 7:22pm

Whoops- spoke too soon.
Added password: '!secret sambaPass' to the Samba config and am still getting the warning.

woody4165 · March 4, 2021, 7:24pm

Thanks @123

Is there a way to stop these notifications?

In the addon configuration, the passwords are set without !secret
Can I use !secret in the addon and avoid the notification?

woody4165 · March 4, 2021, 7:43pm

I’ve installed pwnedpasswords from here https://pypi.org/project/pwnedpasswords/ in a test container and both of my passwords give as result 0, so they are not found in their databases.

Really strange, so, that I get the notification…

stevemann · March 4, 2021, 7:45pm

Update.
Using !secrets does not stop the warnings.
Changing the password to something more secure did.

woody4165 · March 4, 2021, 7:49pm

I’ve got it.

in the addon Paradox Alarm, there is a password that is set to four numbers (only four and only numbers) and probably this is the cause.

So there is no way to change it to something more secure.

What can be done in this case?

LOGGING_LEVEL_CONSOLE: 20
LOGGING_LEVEL_FILE: 40
CONNECTION_TYPE: Serial
SERIAL_PORT: /dev/ttyUSB0
SERIAL_BAUD: 9600
IP_CONNECTION_HOST: 127.0.0.1
IP_CONNECTION_PORT: 10000
IP_CONNECTION_PASSWORD: paradox
KEEP_ALIVE_INTERVAL: 10
LIMITS:
  zone: auto
  user: 1-10
  door: ''
  pgm: 1-5
  partition: auto
  module: ''
  repeater: ''
  keypad: ''
  key-switch: ''
SYNC_TIME: true
SYNC_TIME_MIN_DRIFT: 120
PASSWORD: '0000'
MQTT_ENABLE: true
MQTT_HOST: core-mosquitto
MQTT_PORT: 1883
MQTT_KEEPALIVE: 60
MQTT_USERNAME: pai
MQTT_PASSWORD: my_very_secure_password
MQTT_HOMEASSISTANT_AUTODISCOVERY_ENABLE: true
COMMAND_ALIAS:
  arm: partition all arm
  disarm: partition all disarm
MQTT_COMMAND_ALIAS:
  armed_home: arm_stay
  armed_night: arm_sleep
  armed_away: arm
  disarmed: disarm
HOMEASSISTANT_NOTIFICATIONS_EVENT_FILTERS:
  - 'live,alarm,-restore'
  - 'live,trouble,-clock'
  - 'live,tamper'
PUSHBULLET_CONTACTS: []
PUSHBULLET_EVENT_FILTERS:
  - 'live,alarm,-restore'
  - 'live,trouble,-clock'
  - 'live,tamper'
PUSHOVER_EVENT_FILTERS:
  - 'live,alarm,-restore'
  - 'live,trouble,-clock'
  - 'live,tamper'
SIGNAL_CONTACTS: []
SIGNAL_EVENT_FILTERS:
  - 'live,alarm,-restore'
  - 'live,trouble,-clock'
  - 'live,tamper'
GSM_CONTACTS: []
GSM_EVENT_FILTERS:
  - 'live,alarm,-restore'
  - 'live,trouble,-clock'
  - 'live,tamper'
IP_INTERFACE_ENABLE: false
IP_INTERFACE_PASSWORD: paradox
DUMMY_EVENT_FILTERS: []

lexathon · March 4, 2021, 7:53pm

You can use the helpful post on the other thread to automatically dismiss the notification for now…

https://community.home-assistant.io/t/opt-out-of-pwned-secrets-warnings/286394/24

janbenes · March 4, 2021, 9:49pm

Exactly. I agree to change password for root SSH, because username is known there. However, for other cases where username is used I will not change the password and I would like to get rid off the notification. How can I disable it?

123 · March 4, 2021, 10:45pm

What I did (and I mentioned it in a previous post in this thread) is block access to api.pwnedpasswords.com. That prevents it from performing the test. The failure is recorded in Supervisor’s log but that’s acceptable to me.

An alternative is to create an automation that immediately deletes the persistent notification produced by the password test. There are examples posted elsewhere.

stinkyfromusc · March 5, 2021, 2:29am

I’m getting an error for my Spotify secret. I changed it, and I still get the error. I took my secret to haveibeenpwned.com and I don’t get a warning on the site. Something seems wrong.

woody4165 · March 5, 2021, 7:40am

I tried that solution, but in that case I receive a notification that a notification has been blocked, so not useful…

Thanks anyway.

As suggested by @123, I have blocked (temporarely?) api.pwnedpasswords.com via AdGuard coming from HA IP

Hellis81 · March 5, 2021, 7:41am

Do you see the comment at the end of the automation?
“Remove this after testing?”

Did you remove “this”?

woody4165 · March 5, 2021, 7:43am

Ops!

I haven’t noticed the comment and the code to remove…

I will try now.
Thanks!

tonydarby · March 6, 2021, 5:21pm

May I ask how you did this?
I have installed Adguard in HA and added api.pwnedpasswords.com and haveibeenpwned.com to the custom filters section but I am still getting the nag notifications.
am I missing an install step in Adguard or putting the site in the wrong section?
Thank You.

woody4165 · March 6, 2021, 5:35pm

I’ve solved using this code:
https://community.home-assistant.io/t/opt-out-of-pwned-secrets-warnings/286394/24
and removing the code after the comment

# Remove this after testing :-)

tonydarby · March 7, 2021, 7:47pm

My Adguard problem was down to my stupidity. Would have helped if I had pointed HA IP4 DNS entry to the same IP as HA (which of course Adguard is running on).

Nird91 · March 12, 2021, 12:04pm

I tried to change the mosquitto password, but it doesn’t work (also changed in mqtt devices) I tried to uninstall and reinstall the addon but it doesn’t work. Anyone have a solution? Maybe you need to delete some files, but I don’t know which one. (sorry for my English)

lexathon · March 13, 2021, 4:15pm

I had to play around with it too.
Try removing the user password option in the MQTT configuration. Then either set up a new HA user or use another HA user credentials. The broker allows access to all home assistant users.

Nird91 · March 14, 2021, 12:44pm

Thanks, it worked.