When I rebooted Home Assistant today I noticed it connected to api.pwnedpasswords.com. I understand what pwnedpasswords.com and why some people would want to use that but not everyone does.
To be really clear I dont think Home Assistant should be configured to check my passwords with a 3rd party without my very specific opt-in actions. The devs here make way to many incorrect assumptions about what end users want and provide no way to opt-out.
Another example of this behavior from devs is Home Assistant thinking it should be allowed to bypass my pihole and do its own DNS lookups. The devs aren’t interested in listening to anyone who has a dissenting opinion.
Do not mark this as a solution because it does not address the real problem of why do developers think it is acceptable to share someone elses passwords with a third party service without that users express permission?
Why does this matter, because how do I know the developers aren’t “helping me” by sharing my personal and confidential data with other third party services I haven’t yet discovered?
Home Assistants Mission Statement is:
Blockquote to create a people-focused, open-source home automation platform that prioritizes privacy, choice, and sustainability
Sharing my personal private data with any third party service that I didn’t implicitly choose share it with is completely failing two out the three things in the first sentence of the mission statement.
We are using the Have I Been Pwned (HIBP) service for detecting leaked or compromised secrets, like passwords.
If you get a warning about it, it means that you are using secrets in your configuration which have been leaked and are publicly known. It is strongly advised to change these secrets with a more secure alternative as soon as possible.
Please note; this feature does not send out your secrets to check this.
I completely understand what Pwned Passwords is and what it does, that is not my problem here.
My complaint is that my password information is being shared with a third party without my knowledge or permission. I get that you may think it’s ok because Pwned Passwords is a good thing, I do not share that belief and do not want to be automatically opted into the service with no knowledge and no easy way to opt-out.
Which raises the question what other third party services is my information being shared with.
Stop trying to answer the question I’m not asking and explaining what Pwned Passwords is, and instead address the real question of developers thinking its ok to share my personal information with third party services without my knowledge or ability to opt-out.
My big issue is developers are making a lot of these decisions because they think they are smarter than everyone, when they’re really not.
I question the whole premise of checking the pwned web site. I don’t care if someone else, somewhere in the world, has used the same password for their Macy’s on-line shopping account as I used for my Home Assistant account. The two are unrelated.
I agree it’s good to identify when a password may be weak because lots of other people use the same one. If that’s a problem for you, you don’t need the pwned check. You need to stop using weak passwords.
But, if the user chooses to use a weak password, it’s not HA’s job to nag them about it.
I do appreciate that the option to opt out is available, but I agree it should be more visible.
If someone is engaging in problematic behavior, being silent about it and hoping they change it on their own is really not a good strategy. I may be more direct than you prefer pointing out the problematic behavior, but I’m not wrong out it is problematic.
Part of the software development job is to make decisions that necessitate judgment calls. When a judgment call does not go the way you’d like, it most certainly isnt because “they think they bein smarter than me”, although it may also be simultaneously true that they are being smarter than you. Nearly no job is less forgiving of stupidity than software engineering.
If you are a developer and you think sharing someones private password information with a third party without their permission or knowledge is a good decision, you have terrible judgement.
A developer deciding to circumvent dns blocking by directly querying 8.8.8.8 is not a judgement call, it is adversarial behavior. The developer decided I want this DNS information, and I dont care if the end user is blocking it, my needs are more important. If you are a developer and you cant write code that fails gracefully when DNS blocking takes place, you should stop being developer.
I adversarially reverse engineer complex algorithms in professional capacity for over two decades, so no they are not in any way smarter than I am.
Please note; this feature does not send out your secrets to check this. Your secrets and privacy is guaranteed by a K-Anonymity. Your secrets are hashed, the first 5 characters of the hash result are used to query Have I Been Pwned. Have I Been Pwned returns the results of possible password hashes that match, we check the last part of the password hash against this list locally.
IMO there are more concerning stuff, like recommending running HA and ESPHome in priviliged container.
I do not want any part of my secrets shared in part or whole, with any level of cryptography, with any person any organization any service or any device, under any circumstances, for any reason, for now until all eternity. I don’t know how to make that any clearer.
I do not think Home Assistant should be contacting any third party to “help me” unless I have told it to. Developers cant seem to wrap their brains around DNS blocking, so when I do block something Home Assistant just keeps trying to get out, my home assistant tries make over 500,000 outbound connections every day.
You do not understand cryptography and are making false assumptions. Your personal information is not being shared. Once you understand how cryptography actually works, your whole complaint becomes moot.
(While I do agree that the service should come with an opt-out configuration option.)
100%. Nothing cryptographically relevant is being shared except a partial salted hash? Not worried except that yes this should be a notify and opt in situation.
I still want to disable the hibp check because if somewhere along the chain that call gets blocked, one cannot save any credential in HA any longer as the hibp check interferes.
