GitHub to Warn Users on Compromised Passwords
6.8.18 securityweek  Incindent

In a move to protect its users, software repository site GitHub is now alerting account holders whenever it detects that a password has been compromised in breaches on other services.

Security experts have long pushed for the use of long, unique passwords, to ensure stronger security of all online accounts. However, even unique passwords can pose a great risk when compromised, especially if attackers can link them to specific accounts.

The new feature is the result of a partnership with Troy Hunt, the security researcher behind the popular HaveIBeenPwned.com project. The service allows users to check whether their accounts and passwords have appeared in any data breaches.

An internal tool GitHub has created is now taking advantage of a 517 million record dataset that Hunt made available for download through its service to “validate whether a user’s password has been found in any publicly available sets of breach data.”

The open-source software repository platform enabled the feature last week. The functionality, it says, it meant to alert all people who are using compromised passwords and prompt them to select a different one during login, registration, or when updating their password.

“Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” GitHub explains.

Users who have two-factor authentication (2FA) enabled will receive periodic warnings to review the 2FA setup and recovery options, GitHub also reveals.

However, traditional 2FA options such as SMS have proven to be unreliable, and all of the online platform’s users are advised to use a 2FA authenticator application that supports cloud backups, to ensure a recovery option is always available for them.

“These new account security enhancements will help improve the security of your account. We hope you will take this opportunity to review the security of your account. Balancing security, usability, and recoverability is a personal decision,” GitHub notes.

The service’s users are advised to generate strong, unique passwords using a dedicated manager, to enable 2FA, and to make sure an account-recovery method is available. They should also update their primary email address if necessary and review their other credentials on the platform, GitHub says.

GitHub, which will soon become part of Microsoft, has made other security improvements as well, including the enforcing of SSL/TLS. This, however, did not stop hackers from compromising accounts to spread malicious code, as was the case with the recent Gentoo incident.