Why am I NOT prompted for MasterControl username/password when logging into HE?

claytonclan · October 12, 2025, 2:08am

Hello...

I am running a HE C8 Pro with 2.4.3.133 firmware, fresh out of the box and updated.

I am extremely conscious of computer security and the need for it due to 2 identity thefts, dozens of data breach inclusions of my personal data and stunning amounts of hacking attacks from around the planet for stuff I manage.

I was very happy to see an option to define a username/password to log into my HE.

When I selected that option, I got the following page.

I created my own username/password and saved it off.

When I log into my HE using the Mobile App, I have to go through the login process with my recovery email and my account password.

When I am sitting here at my laptop on a hardwire connection to my HE and using Chrome to access the HE, I have NEVER been prompted to enter the username that I created!

WHY isn't this device asking for the login creds I created when using Chrome on my laptop?

It would also be a HUGE help to have it clearly define what characters and quantity of characters can be used for both the username AND ESPECIALLY for the PASSWORD!

I use a password manager set for 19 character passwords of upper/lower letters, numbers and ALL special characters.

I have run into far too many vendors/applications that have limited length and composition for passwords. Which is NOT a good thing in this day and age!!!!

Seriously consider the vulnerability of your passwords in 2025 knowing the following information.

With the explosion of AI, especially within the mathematics world, I fully expect that this chart will be significantly changed in the very near future that could make 18 character complex passwords crackable in a very short period of time.

Keep in mind that the chart is brute force. When an attack is using massive AI tokens and working the math out, it would take a bit of information about the encryption seeds to figure everything out. Or some lucky guesses.

Bottom line is that even with the HE sitting in my house, Comcast is controlling my modem to the WWW and their systems. Which is why I have my own firewall right behind their modem that is locked down tightly. My internal network is behind that firewall. That firewall also supports a DMZ network that all the IoT devices sit on, including the HE, eventually, that can only talk with the WWW.

My thanks for your time and help on this!

Paul

JumpJump · October 12, 2025, 4:21am

Paul, did you happen to review the help page to ensure you completed the needed steps?

Hub Login Security (Settings) | Hubitat Documentation?

marktheknife · October 12, 2025, 10:21am

The toggle switch in the upper right of the screenshot is toggled to “off.”

Toggling it on should enable hub login security.

claytonclan · October 12, 2025, 1:43pm

@JumpJump @marktheknife

My thanks for your replies.

The following is the documentation page.

The following is what I saw with the Chrome browser in dark mode, which helps with my eyesight problems and what I normally run in.

The page naturally looks like the following.

I should have guessed that the toggle button was there for a reason and just clicked it.

It would have been better to have the web page that shows up when running HE 2.4.3.133 show up like the page in the documentation.

My thanks for your time.

Paul

claytonclan · October 12, 2025, 2:59pm

@JumpJump @marktheknife

One other documentation discrepency is that once I flipped the toggle switch to enable the login security, I get the following window showing up.

I was not logged out of the hub when I clicked on 'Turn hub login security On' AND the window that I was on at the time remained open.

I did get a new browser window opened up that is asking for my login credentials.

So now I have two windows. The original Settings window that I used to enable security and the login window.

I was able to click other things such as Apps and Devices in the original window.

Basically I could ignore the login window at this point and do whatever.

Now for the weird part.

That new 'login window' is to the cloud account, NOT the HE hub on my local network!

Logging into that web page got me to:

I logged out of that window and closed it. All of this was done in Chrome to this point.

I then opened a new Chrome browser window, loaded the URL for my HE C8 Pro and hit return.

NEVER got the login window! I was into the hub as if I never set the security account and flipped the toggle switch! Both of which were done!

I then opened a Microsoft Edge browser window and put in the HE C8 Pro hub URL and hit return. I DID get the login window, which worked as expected. Yea.

But wait, don't declare victory.

My 'Home' window in the MS Edge browser shows the following.

The major item to note is that the page is missing my username under the Hubitat logo in the upper left corner, as the documentation states should be there.

I have no equivalent of the 'Bobby' entry mentioned in the documentation on my window!

Which means I have no means to do a clean logout of the HE on my Microsoft Edge browser page!

This is all with HE C8 Pro running 2.4.3.133.

Problems remain with both the documentation and with the implementation of secure logins.

Paul

hydro311 · October 12, 2025, 3:12pm

I've used Login Security ever since I've been on Hubitat (many years now), and I've never seen my username in the upper left of my UI like that

But I also don't use Remote Admin, so I have no experience with how Login Security works in conjunction with Remote Admin.

AFAIK, there is no logout option per se. If my hub reboots or I attempt to access your hub from another device/Window, I get the login prompt, so that works fine for me.

JumpJump · October 12, 2025, 4:17pm

A lot to unpack there. Perhaps a little over thinking. Maybe a little covering for missing the needed steps.

If you are an it person you probably know you are hitting two different endpoints. There is a local and a cloud. They are different.

Close all of your browser tabs and quit your browsers. Open one browser and log into the local endpoint and see what happens.

claytonclan · October 12, 2025, 5:51pm

@hydro311

My thanks for your reply.

I tried logging into my HE device on a different computer using both Chrome (141.0.7390.66 as of 10/12/25) and Edge (141.0.3537.71 as of 10/12/25) browsers.

I found that both browsers worked the same when Secure Login was enabled.

I can log into the device then move around different web pages then close the browser window completely. Then open a new browser window, point it at the HE and I get the login window once again.

Which is a good thing.

It also implies that the HE C8 Pro, running 2.4.3.133, is not storing any cookie in the browser that says you previously logged into HE. Which is what web apps such as Google GMail does when you click on the 'Keep me logged in' option.

Some web apps just create the cookie regardless and it stays in the browser until you log out of the web app which deletes that login cookie.

I don't use Remote Admin either.

A search of the 'Hub Login Security (Settings)' document page at:

Has NO mention anywhere of Remote Admin, which to me means that the contents of that instruction page is solely focused on the HE device.

And there are portions of that instruction page that are NOT matching the current sequence of events that occur when you enable and then use this important security feature. Which I pointed out in my earlier posts to this thread.

How does the Hubitat product and documentation groups get notified/involved when a forum thread finds issues with how the HE behaves and the supporting documentation for it?

Thanks.

Paul

claytonclan · October 12, 2025, 6:08pm

@JumpJump

My thanks for your reply.

Yes, a lot to unpack as it covers several issues with the documentation and how the HE currently works. Both of which has implications to the product dev group and the documentation group.

The only step I missed was moving the toggle to enable it. It was a toggle out on the right edge with nothing around it. And that web page does NOT currently match the documentation.

As for being an IT person, yep. 35+ years doing computer infrastructure work from desktops, networks, security, data center servers/storge/networks/virtualization for several very large, large number Billion $, defense and Intel communities.

Yes, I know there are two different end points, the cloud and HE. Which is why I pointed that out.

The documentation says that once I enable the Secure Login toggle I will immediately logged out of the hub and will need to log in again.

I fully expected that to happen.

What ACTUALLY happened is that a new tab was opened up in my browser asking for login creds. I thought that was great, and that the new tab would be to the login page of the HE DEVICE. Nope. The login page was to the Cloud account! WHY the cloud account when the documentation said I would need to log into the HE device?

AND the original browser tab was left open, right where it was originally and I could move around to any web page within the HE!

My expectation was that when I flipped the Security toggle, the HE would log me out of the existing admin web page which would leave me at either a login page or a web page that said something like "You have been logged out the HE device, please click 'here' to redirect to the login page". Where 'here' is a hyperlink to the HE device URL for logging into the device.

I addressed other parts in my reply to @hydro311 15 minutes earlier than this response.

Thanks.

Paul

JumpJump · October 12, 2025, 7:52pm

So is it working properly for you now? Or do you still have problems with the authentication?

claytonclan · October 13, 2025, 4:23am

@JumpJump

Yes, I am being prompted to log in with credentials to the HE device.

The documentation needs to be fixed.

I also found an interesting icon on the HE web pages now, that provides for LOGGING OUT of the HE! The documentation says it should be available above the HOME entry in the left column where the account name SHOULD be displayed, but isn't.

What I found is the following button in the upper right hand corner of the web page for logging out of the HE!

Which is another item not mentioned in the documentation.

Paul

bertabcd1234 · October 13, 2025, 4:30am

The user interface received a significant overhall recently in platform 2.4.0, and each version since has continued evolving several pages. Occasionally, you will see the old interface in screenshots/docs that have not yet been touched (or slipped through the cracks). When this happens, you can usually find the same thing, just looking slightly different.

And that's what's happening here:

The logout option has moved to this location -- it's not "another item" but rather the same feature.

This docs will likely be updated soon, however. Glad you figured it out!

sburke781 · October 13, 2025, 11:00am

I won't say I have read all the comments in detail, but on the surface how refreshing to see a conversation like this be so civil and seemingly constructive.... i.e. thanks to @claytonclan for being constructive...

And thanks to @bertabcd1234 for providing some context and offering a likely adjustment to enhance the documentation.

EDIT - Maybe that paints other conversations of this nature in a bad light.... They are not all bad.... Still, worth calling out a good one...

claytonclan · October 13, 2025, 1:59pm

@sburke781

Very gracious of you.

Thanks.

Take care.

Paul