Member preview

It’s time to change your GitHub Plaintext Password! (And on all the sites using it)

Email sent from GitHub on Tuesday, May 1st 2018

On a regular Tuesday, while reviewing pull requests and approving them, I realized I got a “404” page upon submitting the comment — hmm, probably a session aka cache-and-cookies error. I coincidentally hovered over to my Gmail tab to see an email from GitHub Security which had just arrived (“0 minutes ago”) and it looked like GitHub forcefully logged out all the affected users, as a safety measure — which is why I had indeed been getting the 404.

What scares me more though is this particular Github account of mine, which received this notification, was created only a little over a month ago, in times where cybersecurity is more important than ever, and data breaches have become increasingly common.

One would think a company like GitHub, powered by the smartest developers and open source fanatics would have been a little more vigilant of code/deployment changes that would potentially introduce a bug like this one!

At this time,” of course, isn’t very reassuring either — it seems like we are good for now and merely changing the password on GitHub — and all other sites and systems using the same password, if that was the case for you, would be sufficient. But there always remains a possibility of the unknown unknowns existing and eventually coming out which may be more revealing. For example, it is “very unlikely” that any GitHub Staff accessed these logs, but totally possible. And we are not exactly aware how long has this bug existed (more than how long they keep access logs?).

I’ll keep this one short — even though it appears not all accounts were affected, I strongly encourage for all GitHub users to change their account passwords anyway, and in any other places where the same password was used!

As a tip, you may want to use one of the natively installed password generators for maximizing their strength — for example, Apple’s Keychain Access or similar tools for Windows (I’m not making any recommendations). Additionally, consider using 2 factor authentication (2FA) to further ensure your GitHub account’s security.