In a move to protect its users, software repository site GitHub is now alerting account holders whenever it detects that a password has been compromised in breaches on other services.
Security experts have long pushed for the use of long, unique passwords, to ensure stronger security of all online accounts. However, even unique passwords can pose a great risk when compromised, especially if attackers can link them to specific accounts.
The new feature is the result of a partnership with Troy Hunt, the security researcher behind the popular HaveIBeenPwned.com project. The service allows users to check whether their accounts and passwords have appeared in any data breaches.
An internal tool GitHub has created is now taking advantage of a 517 million record dataset that Hunt made available for download through its service to “validate whether a user’s password has been found in any publicly available sets of breach data.”
The open-source software repository platform enabled the feature last week. The functionality, it says, it meant to alert all people who are using compromised passwords and prompt them to select a different one during login, registration, or when updating their password.
“Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” GitHub explains.
Users who have two-factor authentication (2FA) enabled will receive periodic warnings to review the 2FA setup and recovery options, GitHub also reveals.
However, traditional 2FA options such as SMS have proven to be unreliable, and all of the online platform’s users are advised to use a 2FA authenticator application that supports cloud backups, to ensure a recovery option is always available for them.
“These new account security enhancements will help improve the security of your account. We hope you will take this opportunity to review the security of your account. Balancing security, usability, and recoverability is a personal decision,” GitHub notes.
The service’s users are advised to generate strong, unique passwords using a dedicated manager, to enable 2FA, and to make sure an account-recovery method is available. They should also update their primary email address if necessary and review their other credentials on the platform, GitHub says.
GitHub, which will soon become part of Microsoft, has made other security improvements as well, including the enforcing of SSL/TLS. This, however, did not stop hackers from compromising accounts to spread malicious code, as was the case with the recent Gentoo incident.
Related: GitHub Exposed Passwords of Some Users
Related: GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries
More from Ionut Arghire
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
