My IotaWatt suddenly requests username and password - resolved

I was able to get my IotaWatt up and running normally, connected to it and set it up. However, as of yesterday, whilst the LED is steady green, when I try to connect to it either via my PC Chrome browser, Microsoft Edge browser or via my Android device Chrome browser after I type the http://iotawatt.local/ URL or IotaWatt’s IP address, it opens up a Sign-in screen requesting a Username and Password and stating the message: “Your connection to this site is not private”. I have never set up any username and password to access my IotaWatt. Can anyone help, please?


Sounds like passwords are set. Can you post a screenshot of the sign-in screen? Also, when was the unit installed?

Thanks for coming back to me. I have attempted to upload a screen-shot of the sign-in screen.

The unit was installed I believe around December 29th 2019 and has been working normally till yesterday. Yesterday it prompted me with a log-in screen for the first time.

An additional piece of information is that on browsers on Android devices, on entering http://iotawatt.local/ it has now started saying that its server IP address could not be found. If I enter the actual IP address of the device, it opens the log-in screen I have been refering to.

Thanks again!

OK, I’m pretty sure a password has been set. I understand that you deny setting one, there could be other explanations, nevertheless, the password must be removed.

First, do you know what auto-update class is set in your device. MAJOR would have updated a couple of days ago, and I want to rule out that had anything todo with it.

Next, the only way to reset the password is to remove the SDcard and delete the password file using another computers. Is that something you want to do, or alternatively, you can send it to me and I can do it.

If you want to proceed with card removal, I can provide instructions for removal and which file to delete.

Thanks for your prompt response!

I am not sure which auto-update class I had set, but I think I had left it to its default, this being I think MAJOR, as you mention. I don’t know if it had anything to do with an update. The problem was noticed by me yesterday.

If we are to work on the attempt to remove the password, I will try to do it myself, so please send me instructions for removal and for which file to delete.

Thanks again for your support!

The unit ships with auto-update class MINOR, so that answers my question. No changes there recently.

To reset the p[assword(s):

Remove the USB power plug and AC adapter plug from the unit!

Remove the four screws in the bottom. They are self tapping and don’t usually just fall out, you usually have to tap the unit to make them fall out.

Remove the top cover and lift the circuit board clear of the base.

Locate the SD socket and card on the back end of the circuit board.

Be careful removing the card, it is fragile and can be cracked if not pulled straight out. There’s a lip on the top back edge of the card. Grasp it with fingernails and gently pull straight out.

Mount the card on another computer in the /iotawatt directory there should be a file named auth.txt. So that’s /iotawatt/auth.txt. Delete the file auth.txt. DO NOT DEL:ETE ANY OTHER FILES IN DIRECTORY IOTAWATT. They are your datalogs and message logs.

While you are in there, make a copy of the /iotawatt/iotamsgs.txt and in the root directory config.txt in case this doesn’t solve your problem.

Gently reinsert the card directly into the IoTaWatt, reassemble, connect the AC adapter and then power up with the USB power plug.

You should be able top logon without a password.

Please post back your results. I have some follow up suggestions regarding how this could have happened and what you could do to protect against it.

1 Like

Thanks agaın for the prompt response and the detaıled instructions. I have left home for a short trip abroad so I will not be able to do what you have proposed. I will be back early next week and once I have tried what you told me, I will post back my results.

I would once again like to thank you for your support!

I changed the title to remove “saying connection not private”, here’s why:

The “connection not private” is not part of the problem. The problem is that it needs the username and password. “connection not private” is telling you that you are about to enter a password over an insecure HTTP session, and so your passwords may be exposed in plaintext as they are transmitted.

But that’s not the case here.

There are differing ways to negotiate passwords. The most common is called “Basic”, where the passwords are simply sent in an authorization header encoded in an easily decoded format. The redeeming virtue of this is that it’s usually sent within an HTTPS encrypted message so not actually exposed. That’s why the password prompt is telling you that your session is not HTTPS, it’s HTTP which is not private.

IoTaWatt uses a different method of negotiating the password that does not expose it when sent over an insecure session. That method is called “Digest” authentication. When requesting authorization, IoTaWatt sends some unique information to your browser. The browser then generates a cryptographic hash of the username, password, and a bunch of other things. That hash is sent to authorize the transaction. Anyone capturing the transaction mid-flight cannot extract the username or password, and the hash is unique to that transaction so cannot be used to authorize any other transaction, even a replay transaction.

So the browser, out of an abundance of caution, is simply telling you buyer beware when you send passwords over a non-private session. Although IoTaWatt cannot do HTTPS, it has the password security covered.

1 Like

I have followed the detailed instructions for resetting the password above and I am glad to inform that all is now working fine after deleting the auth.txt file.

Once again, thanks for the high quality support!

Any chance can get a ash module installed so can login and delete the file or a web interface to do the same?

There is no ssh capability with the ESP8266. If you know the admin password, you can remove it by simply resetting it to blank.

Requiring physical access to reset the passwords when admin is not known is by design.

Thanks. Sorted. I setup password for homeassistant but no longer needed. A read only would be great