Story image

GitHub security tool checks passwords against 517m breached credentials

06 Aug 18

Web development and coding platform GitHub has rolled out password and two-factor authentication revamps to make user accounts more secure – thanks to the popular password checking site HaveIBeenPwned.com.

GitHub’s new password security feature works by checking to see if a particular password has already been compromised in a breach.

Security expert Troy Hunt created HaveIBeenPwned.com, a website that allows people to see if their emails and passwords have been involved in a data breach.  Hunt also created a dataset of around 517 million compromised passwords and made these publicly available on the website.

GitHub used that dataset to create an internal version of the service, which means it can check if a user’s password has been found in any publicly available sets of breach data.

“People using compromised passwords will be prompted to select a different password during login, registration, or when updating their password. Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” GitHub explains.

GitHub has also improved its two-factor authentication methods. It will now ‘periodically’ remind users to review their two-factor authentication setups and recovery options.

Those recovery options include two-factor authentication codes; fallback numbers; account recovery tokens; and FIDO U2F keys.

“We highly recommend using a 2FA authenticator application that supports cloud backups in the event your phone is lost, stolen, or falls in the ocean,” GitHub adds.

GitHub users who haven’t set up two-factor authentication can access it by going to their account settings and clicking the ‘Security’ tab.

GitHub also recommends the following actions:

1. Update your password a long, unique value that is generated by a password manager. Consider a cloud-synchronised password manager.

2. Use two-factor authentication. Using a TOTP application is more secure than using SMS to deliver codes, but has a higher chance of irrecoverable loss leading to account lockout. Consider a cloud-synchronised application that supports securely backing up your two-factor credentials.

3. Ensure you have a method of recovering your account if you lose access to your two-factor device. Having a hardware U2F key is a secure option. Also, be sure to store your two-factor backup codes somewhere secure like a password manager or a secure physical location. Consider linking your account to Facebook via Recover Accounts Elsewhere.

4. Update your primary email address if necessary and determine if a backup email address is desirable. These settings will determine which email address(es) are allowed to perform a password reset.

5. Review other GitHub credentials. While we remove SSH keys, deploy keys, OAuth authorisations, and personal access tokens that have not been used in a year, it’s always a good idea to manually review them periodically. 6. Consider signing up for HaveIBeenPwned notifications. You do not need to provide a password.

GitHub says its new security improvements are designed to help users balance security, recoverability, and usability of their accounts.

JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."
Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
WatchGuard appoints new channel distributors in A/NZ
The appointments will enable WatchGuard to expand its regional channel reseller footprint.