ESPHome Passwords Do You Need Them? Don't do this!
Vložit
- čas přidán 30. 06. 2024
- Let's discuss a few things about #ESPHome passwords in #homeassistant
⚡Products We Use/Recommend
Amazon US - amzn.to/2YZNDeO
Amazon UK - amzn.to/2TnG2R4
Amazon CA - amzn.to/2JWsNq5
⚡Be Social!⚡
Main Website - www.digiblur.com
Discord Chat - discord.digiblur.com
Patreon - patreon.digiblur.com
Join / @digiblurdiy
Facebook - facebook.digiblur.com
Instagram - instagram.digiblur.com
Please note, the product links above could be affiliate links, using them could earn digiblurDIY a small commission of most purchases and helps with future video projects. Thank you!
00:00 Intro
01:50 Remove Encryption
02:27 DON'T DO THIS
04:07 Good use for OTA Password
06:52 BUT I want to get RID of it!
08:10 How do I REMOVE the password?
10:22 Closing & The BEST
"Ctrl + /" i had no idea that existed and have wanted that function for years. Thank you!
The hidden little tips in the vids! 😎
If you’re familiar with vscode all the macros are the same (at least I think) - for example shift+ del will delete the whole line
Thank you you saved me lots of testing. Doc is not clear about deleting passwords
Nice!
Ctrl + / - how did I never know this?! Life saver!! Thank you 🙏
Great video,
Only have a couple of esphome test devices but will keep it in mind.
If someone gets access to my network, they last thing I would be worried about is my HA.
Thanks. Was battling with just this earlier in the week.
Great video as always.
Lol, had my first foray into ESPHome tonight, trying to move more and more into my ha instance... Glad to have some more valuable information!
If you use the OTA passwords... Never ever lose them or delete them is the most important this thing I wanted to stress.
This password is one of the most common beginner traps for esphome, your cloudcut device is basically locked out. To be honest this encyption/password stuff should be only done during device onboarding and it should have the ability to wipe it out when you performed the reset configuration via long button press during bootup.
It is a very common thing I see people doing. They delete the password and have no backup or lose the yaml file and get locked out. Definitely should be optional as people just click past and don't realize the importance of never losing that password.
@@digiblurDIYI have an electric heater that this happened to. I’m stuck on 2022.3.1. I’ve tried to read the bin file to get the original ota password. I’ve come close without success. It’s disappointing.
Very cool! Thanks. Hey, seems like there should be a way to use the node name as a variable to send to the lambda as the new password string. That would make it easier to update multiple ESPHome nodes easier, without typo errors. Any thoughts?
Not a bad idea there and keeps it the same. It would be cool if it followed the filename type thing.
@@digiblurDIY You could probably use some kind of substitution variable like “$filename” or such, maybe?
Awesome! I've been using a workaround to remove encryption and password by removing them, then manually downloading the bin file and flashing it onto my device instead of doing the first flash through HA
Ahh.. Yes.. This is a little easier.
Definitely a trap. Security is often at odds with usability. It's great to run your own local infrastructure so you can choose what works best for you! My ESPHome stuff is all non-critical so I'm happy to rely on the WiFi's own encryption. All that stuff is on a separate VLAN with no net access and with appropriate firewall holes poked for MQTT and Home Assistant.
Do you know how to protect CloudCutter freed devices so the GUI login screen is password protected?
Yup. Add in your auth for the webserver if you are using that component. esphome.io/components/web_server#configuration-variables
Thanks for sharing this helpful tip as I always save the yaml to text file as backup 👍
No problem 👍
@7:27 what IDE are you using to edit these ?.
That's the Esphome dashboard.
thks so much for you quick reply, i'm gob smacked, NO YT vid i've sat through has ever mentioned there is one, again thks i'll go try and find the elusive YT vid that covers something on this for the newcomer. Happy New Year to you@@digiblurDIY
Thanks for this Travis.
Better deal with this before OG starts sneaking out to meet girls. You're going need to lock ssit down!
He might be sneaking off of that SSID as the filtering isn't there on LTE
Setting the password to the hostname is not that safe either! Scrip kiddies will use the hostname as the password right after "password" and "1234". Just add some other characters after your hostname. It will make it a bit more safe ;-)
yeah I figured I'd add something that I knew to it. But again, least of my worries if someone else is on my vlan
Please don't tell me that you don't have snapshots enabled on your server and you cannot easily recover a file if you accidentally deleted the password 😮
I have automated versioning myself of files in my docker containers. But everyone does not have this setup.
@@digiblurDIY I just do a zfs snapshot every 15 minutes. But really I never edit my files on the servers. For the esphome I commit everything into git and my CI/CD pipeline delivers it to esphome. So no line of code is ever lost.
Thank you for going shaved head
Should have done it a while back.
I don't agree with your advice because wifi isn't impenetrable. However I do appreciate you sharing a how-to for those who wish to remove this feature, to help prevent them from locking out their own devices.
I'm going to keep my API clients as secure as possible regardless of their potential exposure. You never know what kind of CVE could crop up and I also don't like the idea of someone potentially loading their own code onto something that is on my network.
You do you - for better or worse.
Which advice? To remove or add it? Set it as one password? Use the device name? I gave it all. You could even do a spin and add something to the end of the hostname and do your own thing.
@@digiblurDIY I realize I was vague... and I shouldn't claim it was your "advice" but rather your opinion that encryption is not necessary on private networks.
Yeah the encryption isn't something I do being on a private network. There are larger issues than my light bulbs turning on if my private network is compromised. Up to the user if they want to do it.
The larger issue here is the OTA password mess.
@@digiblurDIY In my case I use the devices for a lot more than lights and could be detrimental. To each their own.
@@digiblurDIY the argument you used for why you spend time actively removing the encryption instead of just leaving the default in, was basically "I feel bad for the esp having to do so much"
You're also giving blanket advice to the internet that encryption isn't needed on your home network, because all someone could do is turn on and off light bulbs. I have an esp that opens and closes my garage. I have another one that's "just a sensor for whether a door is open or closed" But its tied to an automation to lock a door, and if I had it set up wrong (i don't) it would be possible to send homeassistant information about that sensor to trick an automation into "toggling" a lock.
Obviously the door sensor is an extreme example because i don't have the automation set up to toogle instead of lock. And clearly i know enough to know when to ignore advice I run into on the internet.
I'm not going to say that turning off encryption on an esp device that's just turning on and off lights is a problem, because its probably fine.
And I obviously don't think that people should blindly listen to advice on the internet, and turn off encryption just because someone on the internet says its dumb. I think that people need to be smart enough to know whether what their esphome device is doing is sensitive or not.
But I also think that you left out any nuance in your video. You basically said its dumb, the chip doesn't need to be doing more than it has to. And you're going out of your way to turn off a default.
Remove that junk 😄
Brother, you are serious influencer in Home Assistant matter. Do you really think that telling people nowadays: "passwords, encryptions are NO NO!" - just look around the corner what is happening every day just because people don't care about passwords/security etc.
Don't encourage people to be careless.
just my 3 cents ;-)
These are home devices. If someone gets on your network at home, you have bigger issues than some light bulbs going crazy from a hack 😂
I showed you how to set it or remove it. It is your choice.
@@digiblurDIY you definitely expressed your opinion (starting with 01:36) - again: you did not push anybody, but being influencer you could be more ... matured with your advices ;)
@zyghom Yeah the encryption isn't something I do being on a private network. There are larger issues than my light bulbs turning on if my private network is compromised. Up to the user if they want to do it.
The larger issue here is the OTA password mess.
@@digiblurDIY you forgot, that majority of people use "1 password for ALL" - and this is the beginning of the collapse. Nobody gives a s..t about 1 bulb. Think big