Since the launch of the new pwned check (#2614), I've been receiving constant alerts that one of my addons, Network UPS Tools, has a compromised password.
While the alert is correct, this is known in my local setup, and I have no option for resolution as my NUT server (Synology) does not allow customization of the user and password.
Receiving a warning on first run is okay after updating a configuration, but this is happening every few hours. As there is nothing I can do to resolve the password issue on my end, I have a persistent security alert in my notifications.
This appears to be frustrating other users, as I've seen some recent posts about it: https://www.reddit.com/r/homeassistant/comments/lx5wnr/pwned/
I'm all for increased security, but we should also have some manual controls around this, or at the very least, less noisy.
supervisor-2021.03.4
Home Assistant OS
Home Assistant Operating System
Home Assistant OS 5.12
core-2021.3.1
users: []
devices: []
mode: netclient
shutdown_host: true
remote_ups_name: ups
remote_ups_host: <removed>
remote_ups_user: monuser
remote_ups_password: secret
# Put your logs below this line
It's a great idea for WAN facing services, maybe less of a "need" for LAN. Giving users an option to disable seems a reasonable request.
I agree that this must be a feature that could be disabled by a user, or only "notify once" after restart/startup of a addon.
We need to be able to able to disable this as users.
We need an option to ENABLE this. I have no clue why this was introduced with little fanfare, no options to opt-in nor opt-out.
But the fact that it was introduced with an automatically opt-in feature with no opt-out.... Seriously horrible precedent that is being set here.
I _KNOW_ my NUT password has been \~"pwned"\~ because it's literally nut
Please, make this opt in, default opt-out.
These notifications are downright annoying, and cause clutter in the history view, not to mention they come back all the time.
Additionally, what about the addons that have a parameter such as i_like_to_be_pwned - NUT as an example. I have that set to true, I have already acknowledged the risk that is associated with using a simple password. I do not need further suggestions to "help" me be more secure.
Why, all of a sudden, does this need to happen? And why does it matter so much that my notifications are clogged up by this?
Not only does there need to be a general opt-in/out option for this, there should also be a) the ability to disable warnings for specific items, and b) the ability for users to set how frequently the system checks passwords.
As it stands now this is a perfect setup for creating "alarm fatigue". Users who have a potentially compromised password they can't change or can't change easily will simply ignore the notification icon, potentially missing a new compromise that they may actually be able and wanting to fix.
This should be an integration in core that can be enabled/disabled
That's not a bug, since it's not fixed, the next check will bring it back. You need to disable it if you not want running it
That's not a bug, since it's not fixed, the next check will bring it back. You need to disable it if you not want running it
It is a "bug" as it keeps "bugging" people ;) ... how do you disable it? I still have yet to see an official response from HA on this topic (please link if i missed one).
I also am annoyed about that constant "nagging" since a few days. Everything runs on local network, I don't need a good password and I as a user want to be able to take responsibility for that.
We have received the message now, change is on route. Thanks.
Most helpful comment
Not only does there need to be a general opt-in/out option for this, there should also be a) the ability to disable warnings for specific items, and b) the ability for users to set how frequently the system checks passwords.
As it stands now this is a perfect setup for creating "alarm fatigue". Users who have a potentially compromised password they can't change or can't change easily will simply ignore the notification icon, potentially missing a new compromise that they may actually be able and wanting to fix.