This article is more than 1 year old
Passwords begone: GitHub will ban them next year for authenticating Git operations
Prepare for two brownouts in July when things get tested properly
Microsoft's GitHub plans to stop accepting account passwords as a way to authenticate Git operations, starting August 13, 2021, following a test period without passwords two-weeks earlier.
The planned change does not affect the ability to login to a GitHub account in a web browser with a username, password, and perhaps a second authentication factor, like a passcode sent to a mobile device or a Time-based One Time (TOTP) code. Instead, it applies to Git operations – the commands and APIs for interacting with GitHub-hosted Git software repositories.
In a blog post on Wednesday, Matthew Langlois, security engineer at GitHub, said the procedural change follows a plan announced in July and implemented last month to require token-based authentication for all authenticated API operations on GitHub.com.
As of next August, that requirement will be extended to all Git-related command line interactions, desktop apps that use Git (apart from GitHub Desktop), and software or services that access Git repos on GitHub via password.
GitHub Codespaces preview version still has some glaring omissions, CEO insists it will be ready when it's readyREAD MORE
To prepare GitHub users, the cloud code storage service has scheduled two brownouts prior to the August 13, 2021 deadline – on July 28 and 30 – when the company will, for a few hours, disable support for password authentication. Git operations tied to passwords will fail during these planned outages, which the company hopes will remind developers to get their houses in order.
In place of passwords for Git interactions, GitHub will require token-based authentication, which means a personal access token for developers or an OAuth or GitHub App installation token for integrators. Those using SSH keys rather than tokens can continue to do so.
Tokens, insists Langlois, have several advantages over passwords, namely that: they're easier to make unique for a service, device, or specific usage; they're revocable without affecting other credentials; they can be more easily scoped to specific uses; and they can be random, which makes them less susceptible to dictionary attacks or brute force attacks on passwords simplified for the sake of memorability.
Tokens mean people won't choose weak passwords like "solarwinds123." They don't guarantee developers won't accidentally include their tokens when they make code commits, though GitHub's Token Scanning service may help save hapless devs from themselves.
Microsoft has made a mission of replacing password authentication with more secure authorization checks, an odyssey that began when Microsoft co-founder Bill Gates in 2004 advised moving away from passwords. While GitHub isn't there yet, removing passwords from Git operations is a step in that direction. ®