Supervisor: Pwned check returns after dismissal

Created on 5 Mar 2021  路  10Comments  路  Source: home-assistant/supervisor

Describe the issue you are experiencing

Since the launch of the new pwned check (#2614), I've been receiving constant alerts that one of my addons, Network UPS Tools, has a compromised password.

While the alert is correct, this is known in my local setup, and I have no option for resolution as my NUT server (Synology) does not allow customization of the user and password.

Receiving a warning on first run is okay after updating a configuration, but this is happening every few hours. As there is nothing I can do to resolve the password issue on my end, I have a persistent security alert in my notifications.

This appears to be frustrating other users, as I've seen some recent posts about it: https://www.reddit.com/r/homeassistant/comments/lx5wnr/pwned/

I'm all for increased security, but we should also have some manual controls around this, or at the very least, less noisy.

What is the used version of the Supervisor?

supervisor-2021.03.4

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

What is the version of your installed operating system?

Home Assistant OS 5.12

What version of Home Assistant Core is installed?

core-2021.3.1

Steps to reproduce the issue

  1. Configure an add-on with a compromised password. For example, my NUT configuration:
users: []
devices: []
mode: netclient
shutdown_host: true
remote_ups_name: ups
remote_ups_host: <removed>
remote_ups_user: monuser
remote_ups_password: secret
  1. Receive a pwned warning every few hours.

Anything in the Supervisor logs that might be useful for us?

# Put your logs below this line

bug

Most helpful comment

Not only does there need to be a general opt-in/out option for this, there should also be a) the ability to disable warnings for specific items, and b) the ability for users to set how frequently the system checks passwords.

As it stands now this is a perfect setup for creating "alarm fatigue". Users who have a potentially compromised password they can't change or can't change easily will simply ignore the notification icon, potentially missing a new compromise that they may actually be able and wanting to fix.

All 10 comments

It's a great idea for WAN facing services, maybe less of a "need" for LAN. Giving users an option to disable seems a reasonable request.

I agree that this must be a feature that could be disabled by a user, or only "notify once" after restart/startup of a addon.

We need to be able to able to disable this as users.

We need an option to ENABLE this. I have no clue why this was introduced with little fanfare, no options to opt-in nor opt-out.
But the fact that it was introduced with an automatically opt-in feature with no opt-out.... Seriously horrible precedent that is being set here.

I _KNOW_ my NUT password has been \~"pwned"\~ because it's literally nut

Please, make this opt in, default opt-out.
These notifications are downright annoying, and cause clutter in the history view, not to mention they come back all the time.

Additionally, what about the addons that have a parameter such as i_like_to_be_pwned - NUT as an example. I have that set to true, I have already acknowledged the risk that is associated with using a simple password. I do not need further suggestions to "help" me be more secure.
Why, all of a sudden, does this need to happen? And why does it matter so much that my notifications are clogged up by this?

Not only does there need to be a general opt-in/out option for this, there should also be a) the ability to disable warnings for specific items, and b) the ability for users to set how frequently the system checks passwords.

As it stands now this is a perfect setup for creating "alarm fatigue". Users who have a potentially compromised password they can't change or can't change easily will simply ignore the notification icon, potentially missing a new compromise that they may actually be able and wanting to fix.

This should be an integration in core that can be enabled/disabled

That's not a bug, since it's not fixed, the next check will bring it back. You need to disable it if you not want running it

That's not a bug, since it's not fixed, the next check will bring it back. You need to disable it if you not want running it

It is a "bug" as it keeps "bugging" people ;) ... how do you disable it? I still have yet to see an official response from HA on this topic (please link if i missed one).

I also am annoyed about that constant "nagging" since a few days. Everything runs on local network, I don't need a good password and I as a user want to be able to take responsibility for that.

We have received the message now, change is on route. Thanks.

Was this page helpful?
0 / 5 - 0 ratings