this post was submitted on 30 Mar 2026
28 points (93.8% liked)

homeassistant

18978 readers
412 users here now

Home Assistant is open source home automation that puts local control and privacy first.
Powered by a worldwide community of tinkerers and DIY enthusiasts.

Home Assistant can be self-installed on ProxMox, Raspberry Pi, or even purchased pre-installed: Home Assistant: Installation

Discussion of Home-Assistant adjacent topics is absolutely fine, within reason.
If you're not sure, DM @GreatAlbatross@feddit.uk

founded 2 years ago
MODERATORS
GreatAlbatross@feddit.uk
greatalbatross@lemmy.world
28
How many of you have an HA solution, which is open to the internet? (lemmy.world)
submitted 1 day ago by oz1sej@lemmy.world to c/homeassistant@lemmy.world
48 comments fedilink hide all child comments
 

I'm running my own HA locally, in my house, but I would like to be able to access it also when I'm not home. So I've put it on my Zerotier One VPN, which works fine. Except for two things:

  1. HA no longer knows when I'm home - it thinks I'm always home;

  2. Other people in my household would also like to have remote access, but it's unrealistic to have them install and use the VPN.

So - can I just open it up, and rely on long, complex passeords? Or is that a complete no-go?

you are viewing a single comment's thread
view the rest of the comments
[–] SwingingTheLamp@piefed.zip 3 points 1 day ago (1 children)

I work in IT at a major university, and watch the logs. My Home Assistant instance is open to the Internet behind an nginx reverse proxy with SSL. (The official add-on makes it easy.) Brute-forcing passwords on HTTPS is not really a thing anymore. I get a connection attempt or two per month at home. At work, they go for known vulnerabilities in web apps; WordPress, mostly.

[–] eleijeep@piefed.social 1 points 6 hours ago (1 children)

Brute-forcing passwords on HTTPS is not really a thing anymore.

Why is that?

[–] SwingingTheLamp@piefed.zip 2 points 4 hours ago

I would expect that the cost-benefit calculation doesn't work out. If you have a password hash in local memory, then the computer can try each possibility in nanoseconds, and it can still take several minutes to crack trivial passwords.

To brute-force a password over HTTPS, each attempt is on the order of microseconds, about 1/1000th the speed, or slower. Plus, all the overhead of SSL, which imposes a compute burden on the attacking machine.

And that's just trivial passwords, plus assuming that the target host doesn't have connection rate-limiting, or even a sysadmin who'd notice the logs getting flooded with bad requests continuously for a couple of days.