Allow hashed passwords

[fabaff]

Description:
At the moment passwords and API keys are stored in plain-text in the configuration.yaml file. This PR is a RFC for the feature of encrypted/hashed passwords as opt-in.

Related issue (if applicable): Story

Example entry for configuration.yaml (if applicable):

http:
  api_password: $5$rounds=535000$PEN/g8jYEZT.81GW$SISbV67EfbJOITelNNeZUKZ/s6KY2rT3CjW5vW2diwB

The script script/gen_hash.py is a helper to created the needed hash. Only the http component is supported at the moment.

Checklist:

• Local tests with tox run successfully.
• TravisCI does not fail. Your PR cannot be merged unless CI is green!
• Fork is up to date and was rebased on the dev branch before creating the PR.
• Commits have been squashed.
• If code communicates with devices:
  • New dependencies have been added to the REQUIREMENTS variable (example).
  • New dependencies are only imported inside functions that use them (example).
  • New dependencies have been added to requirements_all.txt by running script/gen_requirements_all.py.
  • New files were added to .coveragerc.
• If the code does not interact with devices:
  • Tests have been added to verify that the new code works.

[balloob]

Why not use Python built-in ? https://docs.python.org/3.4/library/hashlib.html

[balloob]

I think the idea of storing hashed passwords for http to be a good idea.

Some problems that I foresee is that both the remote instances API and the MQTT server need to be able to access the password. The problem here is that if we can decrypt a password we're pretty much giving a false sense of security. So that makes it pretty much impossible at this point.

This all should probably be part of a bigger overhaul to add a proper authentication layer. But I don't know how that would look right now.

[MartinHjelmare]

For future reference, I think bcrypt is currently a better (more secure) way of hashing passwords than sha256, after reading a couple of blogs about the subject.

[SEJeff]

bcrypt is excellent for this, but so is sha256, albeit being more crackable by GPUs and custom ASIC attacks. FWIW, NIST suggests PBKDF2). All of these are quite good and considered very resistant to cracking.

For @fabaff it does seem like hashlib would be preferable over passlib however. @balloob is right there.

[fabaff]

I switched to hashlib for the hashing. Sorry the title was misleading.

While an approach like Ansible Vault would add extra protection for sensitive data like password and API key it would make it hard to auto-restart Home Assistant without user interaction.

[balloob]

@fabaff I will be closing this PR in favor of the result of this discussion. It should make everything better https://community.home-assistant.io/t/migrate-http-stack-to-wsgi-based-framework/576