Story image

GitHub security tool checks passwords against 517m breached credentials

06 Aug 18

Web development and coding platform GitHub has rolled out password and two-factor authentication revamps to make user accounts more secure – thanks to the popular password checking site HaveIBeenPwned.com.

GitHub’s new password security feature works by checking to see if a particular password has already been compromised in a breach.

Security expert Troy Hunt created HaveIBeenPwned.com, a website that allows people to see if their emails and passwords have been involved in a data breach.  Hunt also created a dataset of around 517 million compromised passwords and made these publicly available on the website.

GitHub used that dataset to create an internal version of the service, which means it can check if a user’s password has been found in any publicly available sets of breach data.

“People using compromised passwords will be prompted to select a different password during login, registration, or when updating their password. Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” GitHub explains.

GitHub has also improved its two-factor authentication methods. It will now ‘periodically’ remind users to review their two-factor authentication setups and recovery options.

Those recovery options include two-factor authentication codes; fallback numbers; account recovery tokens; and FIDO U2F keys.

“We highly recommend using a 2FA authenticator application that supports cloud backups in the event your phone is lost, stolen, or falls in the ocean,” GitHub adds.

GitHub users who haven’t set up two-factor authentication can access it by going to their account settings and clicking the ‘Security’ tab.

GitHub also recommends the following actions:

1. Update your password a long, unique value that is generated by a password manager. Consider a cloud-synchronised password manager.

2. Use two-factor authentication. Using a TOTP application is more secure than using SMS to deliver codes, but has a higher chance of irrecoverable loss leading to account lockout. Consider a cloud-synchronised application that supports securely backing up your two-factor credentials.

3. Ensure you have a method of recovering your account if you lose access to your two-factor device. Having a hardware U2F key is a secure option. Also, be sure to store your two-factor backup codes somewhere secure like a password manager or a secure physical location. Consider linking your account to Facebook via Recover Accounts Elsewhere.

4. Update your primary email address if necessary and determine if a backup email address is desirable. These settings will determine which email address(es) are allowed to perform a password reset.

5. Review other GitHub credentials. While we remove SSH keys, deploy keys, OAuth authorisations, and personal access tokens that have not been used in a year, it’s always a good idea to manually review them periodically. 6. Consider signing up for HaveIBeenPwned notifications. You do not need to provide a password.

GitHub says its new security improvements are designed to help users balance security, recoverability, and usability of their accounts.

TCS collaborates with Red Hat to build digital transformation solutions
“By leveraging TCS' technology skills to build more secure, intelligent and responsive solutions, we aim to deliver superior end-user experiences."
Twitter suspects state-sponsored ties to support forum breach
One of Twitter’s support forums was hit by a data breach that may have ties to a state-sponsored attack, however users' personal data was exposed.
How McAfee aims to curb enterprise data loss
McAfee DLP aims to help safeguard intellectual property and ensure compliance by protecting sensitive data.
HPE promotes 'circular economy' for end-of-use tech
HPE is planning to show businesses worldwide that throwing old tech and assets into landfill is not the best option when it comes to end-of-use disposal.
2018 sees 1,500% increase in coinmining malware - report
This issue will only continue to grow as IoT forms the foundation of connected devices and smart city grids.
CSPs ‘not capable enough’ to meet 5G demands of end-users
A new study from Gartner produced some startling findings, including the lack of readiness of communications service providers (CSPs).
Oracle announces a new set of cloud-native managed services
"Developers should have the flexibility to build and deploy their applications anywhere they choose without the threat of cloud vendor lock-in.”
How AT&T aims to help businesses recover faster from a disaster
"Companies need to be able to recover and continue operations ASAP, without pulling resources from other places to get back up and running."