I’m running my own HA locally, in my house, but I would like to be able to access it also when I’m not home. So I’ve put it on my Zerotier One VPN, which works fine. Except for two things:
-
HA no longer knows when I’m home - it thinks I’m always home;
-
Other people in my household would also like to have remote access, but it’s unrealistic to have them install and use the VPN.
So - can I just open it up, and rely on long, complex passeords? Or is that a complete no-go?
I would expect that the cost-benefit calculation doesn’t work out. If you have a password hash in local memory, then the computer can try each possibility in nanoseconds, and it can still take several minutes to crack trivial passwords.
To brute-force a password over HTTPS, each attempt is on the order of microseconds, about 1/1000th the speed, or slower. Plus, all the overhead of SSL, which imposes a compute burden on the attacking machine.
And that’s just trivial passwords, plus assuming that the target host doesn’t have connection rate-limiting, or even a sysadmin who’d notice the logs getting flooded with bad requests continuously for a couple of days.