Why we can set user password even one character long? Is this secure? I recommend to require minimum 10 char long, one uppercase, one digit, one special char.
In addition there should be some protection system - e.g ban for 10 minutes after 5 failure login attempts.
ip_ban_enabled boolean (Optional, default: true)
Flag indicating whether additional IP filtering is enabled.
login_attempts_threshold integer (Optional, default: -1)
Number of failed login attempt from single IP after which it will be automatically banned if ip_ban_enabled
is true
. When set to -1 no new automatic bans will be added.
http:
server_port: 12345
ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem
cors_allowed_origins:
- https://google.com
- https://www.home-assistant.io
use_x_forwarded_for: true
trusted_proxies:
- 10.0.0.200
- 172.30.33.0/24
ip_ban_enabled: true
login_attempts_threshold: 5
local access only logins for admin accounts
homeassistant.local/config/person
Local access only
Can only log in from the local network
How is your HA connected to the internet?
Also a good understanding of your networks firewall never hurts.
also id complain that I have a HA on a completely offline scenario where i only want the password to be admin if this was implemented.
Hard to believe but some people are not using an external access, live in a solitary house and do not need passwords)))
Home Assistant over Tailscale is effectively inaccessible to anyone outside the home or Tailnet.
I am against any specific password requirements. How to make a secure password is common knowledge and even US federal guidelines are loosening restrictions. If a user feels a single character password or no password is good enough on their own network, they should be allowed to set it that way.
BTW, there are should be an opposite way - logging in w/o a password:
Smth similar was proposed some time ago - but it was rejected soon.
NO!
I am sick of systems telling me what type of password I can use.
Home Assistant is self hosted and the administrator should control their own password policies.
The admin should never be forced to meet arbitrary password complexity rules they themselves do not set.
If I want to use 1234, let me use 1234.
I can see all points of view here - the security concerns around weak passwords, the desire to have certain accounts passwordless, and not wanting a system to dictate how you manage your own instance.
What about feature that takes all of those into consideration? By default, it could require a complex password for initial security, but there should be an admin-controlled setting that allows you to change the complexity or even set an âemptyâ password. In my âperfect worldâ, this would be applied to groups of users (ie admin accounts could be set to require a complex password, even including 2fa, but regular accounts could use weak passwords, and guests with very limited access could be set to password-free accounts.
Until they do a zero trust assessment. Identify how to rearchitect with real RBAC all of this is academic. Security controls built on top of a weak foundation are just security theater.
There need tobe real controls around who is an admin and who isnât (at the entity level) and the UI reconstructed around those concepts. The I do t really care what you want to set for your setup a the way from FIDO2 passkey (my choice) to no password definitely donât recommend but hey I get if you donât like security. Your install.
Im all for '25 being year of security but thereâs a way it should be done. You canât build a big wall around a pile of sticks.
Oh absolutely, Iâm fully onboard with full RBAC, before any change-ups to passwords/general auth like my suggested addition to the OPâs WTH can really be useful!
There was some code in HA a few years ago that prompted you if your password was weak or had leaked I believe.
But the push back was too much and it was removed.
Thatâs how I remember it at least.
Iâm fine with password
as password, I find no reason to change it to Pa$$w0rd
just because someone thinks itâs a bad password
As long as that setting exists a s checkbox on the initial account setup, by all means. Even unchecking âSecure passwordâ results in a popup explaining exactly why one shouldnât uncheck âSecure passwordâ.