From 93e7236b24dc725987ae1c66c81d52d54a618727 Mon Sep 17 00:00:00 2001 From: Pascal Vizeli Date: Fri, 26 Feb 2021 14:50:16 +0100 Subject: [PATCH] supervisor-pwned (#16730) Co-authored-by: Fabian Affolter Co-authored-by: Franck Nijhof --- source/more-info/pwned-passwords.markdown | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 source/more-info/pwned-passwords.markdown diff --git a/source/more-info/pwned-passwords.markdown b/source/more-info/pwned-passwords.markdown new file mode 100644 index 00000000000..ce6dec37d80 --- /dev/null +++ b/source/more-info/pwned-passwords.markdown @@ -0,0 +1,14 @@ +--- +title: "Pwned passwords and secrets" +description: "More information on detected pwned secrets in Home Assistant." +--- + +We are using the [Have I Been Pwned (HIBP)](https://haveibeenpwned.com/Passwords) service for detecting leaked or compromised secrets, like passwords. + +If you get a warning about it, it means that you are using secrets in your configuration which have been leaked and are publicly known. It is strongly advised to change these secrets with a more secure alternative as soon as possible. + +Please note; this feature does not send out your secrets to check this. Your secrets and privacy is guaranteed by a [K-Anonymity][k-anonymity]. Your secrets are hashed, the first 5 characters of the hash result are used to query Have I Been Pwned. Have I Been Pwned returns the results of possible password hashes that match, we check the last part of the password hash against this list locally. + +[Read more about K-Anonymity on this CloudFlare blog post][k-anonymity]. + +[k-anonymity]: https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/