Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Pwned check returns after dismissal
See original GitHub issueDescribe the issue you are experiencing
Since the launch of the new pwned check (#2614), I’ve been receiving constant alerts that one of my addons, Network UPS Tools, has a compromised password.
While the alert is correct, this is known in my local setup, and I have no option for resolution as my NUT server (Synology) does not allow customization of the user and password.
Receiving a warning on first run is okay after updating a configuration, but this is happening every few hours. As there is nothing I can do to resolve the password issue on my end, I have a persistent security alert in my notifications.
This appears to be frustrating other users, as I’ve seen some recent posts about it: https://www.reddit.com/r/homeassistant/comments/lx5wnr/pwned/
I’m all for increased security, but we should also have some manual controls around this, or at the very least, less noisy.
What is the used version of the Supervisor?
supervisor-2021.03.4
What type of installation are you running?
Home Assistant OS
Which operating system are you running on?
Home Assistant Operating System
What is the version of your installed operating system?
Home Assistant OS 5.12
What version of Home Assistant Core is installed?
core-2021.3.1
Steps to reproduce the issue
- Configure an add-on with a compromised password. For example, my NUT configuration:
users: []
devices: []
mode: netclient
shutdown_host: true
remote_ups_name: ups
remote_ups_host: <removed>
remote_ups_user: monuser
remote_ups_password: secret
- Receive a pwned warning every few hours.
Anything in the Supervisor logs that might be useful for us?
# Put your logs below this line
Issue Analytics
- State:
- Created 3 years ago
- Reactions:5
- Comments:10 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Not only does there need to be a general opt-in/out option for this, there should also be a) the ability to disable warnings for specific items, and b) the ability for users to set how frequently the system checks passwords.
As it stands now this is a perfect setup for creating “alarm fatigue”. Users who have a potentially compromised password they can’t change or can’t change easily will simply ignore the notification icon, potentially missing a new compromise that they may actually be able and wanting to fix.
We need an option to ENABLE this. I have no clue why this was introduced with little fanfare, no options to opt-in nor opt-out.
But the fact that it was introduced with an automatically opt-in feature with no opt-out… Seriously horrible precedent that is being set here.
I KNOW my NUT password has been ~“pwned”~ because it’s literally
nutPlease, make this opt in, default opt-out.
These notifications are downright annoying, and cause clutter in the history view, not to mention they come back all the time.
Additionally, what about the addons that have a parameter such as
i_like_to_be_pwned- NUT as an example. I have that set to true, I have already acknowledged the risk that is associated with using a simple password. I do not need further suggestions to “help” me be more secure.Why, all of a sudden, does this need to happen? And why does it matter so much that my notifications are clogged up by this?