Code repository GitHub is the latest site to have hackers compromise some user accounts, and in response, it’s taking aim at bad passwords. In a blog post, GitHub engineer Shawn Davenport said that a brute force attack from around 40,000 IP addresses revealed some commonly used passwords, as well as ones that were used on sites besides GitHub. Davenport defended the site’s overall security. “We aggressively rate-limit login attempts and passwords are stored properly,” he said, though GitHub is now working on improving those rate limits. Primarily, though, it’s saying that user passwords were the key weak link here.
Weak GitHub passwords lead to account security breach
is a senior tech and policy editor focused on online platforms and free expression. Adi has covered virtual and augmented reality, the history of computing, and more for The Verge since 2011.
Anyone whose account appeared to be compromised has had their password reset and any third-party keys revoked, and GitHub will be on the lookout for further suspicious activity. In addition to normal strength requirements like length or character requirements, GitHub is also banning any easily guessed passwords, though that requirement seems pretty lax: “passw0rd” is apparently easily guessed by hackers, but “Passw0rd” is not. GitHub also offers two-factor authentication, an increasingly common measure to combat the inherent problems with passwords. GitHub did not immediately respond to questions about how many accounts were affected, but whatever the number is, it’s going to be miniscule compared to the most recent high-profile hack, which compromised at least 38 million Adobe user accounts earlier this fall.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
