New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow hashed passwords #1581
Allow hashed passwords #1581
Conversation
@@ -32,6 +32,8 @@ | |||
|
|||
DOMAIN = "http" | |||
|
|||
REQUIREMENTS = ["passlib==1.6.5"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not use Python built-in ? https://docs.python.org/3.4/library/hashlib.html
I think the idea of storing hashed passwords for http to be a good idea. Some problems that I foresee is that both the remote instances API and the MQTT server need to be able to access the password. The problem here is that if we can decrypt a password we're pretty much giving a false sense of security. So that makes it pretty much impossible at this point. This all should probably be part of a bigger overhaul to add a proper authentication layer. But I don't know how that would look right now. |
For future reference, I think bcrypt is currently a better (more secure) way of hashing passwords than sha256, after reading a couple of blogs about the subject. |
bcrypt is excellent for this, but so is sha256, albeit being more crackable by GPUs and custom ASIC attacks. FWIW, NIST suggests PBKDF2). All of these are quite good and considered very resistant to cracking. For @fabaff it does seem like hashlib would be preferable over passlib however. @balloob is right there. |
I switched to hashlib for the hashing. Sorry the title was misleading. While an approach like Ansible Vault would add extra protection for sensitive data like password and API key it would make it hard to auto-restart Home Assistant without user interaction. |
@fabaff I will be closing this PR in favor of the result of this discussion. It should make everything better https://community.home-assistant.io/t/migrate-http-stack-to-wsgi-based-framework/576 |
Description:
At the moment passwords and API keys are stored in plain-text in the
configuration.yaml
file. This PR is a RFC for the feature of encrypted/hashed passwords as opt-in.Related issue (if applicable): Story
Example entry for
configuration.yaml
(if applicable):The script
script/gen_hash.py
is a helper to created the needed hash. Only the http component is supported at the moment.Checklist:
tox
run successfully.dev
branch before creating the PR.REQUIREMENTS
variable (example).requirements_all.txt
by runningscript/gen_requirements_all.py
..coveragerc
.