Story image

GitHub security tool checks passwords against 517m breached credentials

06 Aug 2018

Web development and coding platform GitHub has rolled out password and two-factor authentication revamps to make user accounts more secure – thanks to the popular password checking site HaveIBeenPwned.com.

GitHub’s new password security feature works by checking to see if a particular password has already been compromised in a breach.

Security expert Troy Hunt created HaveIBeenPwned.com, a website that allows people to see if their emails and passwords have been involved in a data breach.  Hunt also created a dataset of around 517 million compromised passwords and made these publicly available on the website.

GitHub used that dataset to create an internal version of the service, which means it can check if a user’s password has been found in any publicly available sets of breach data.

“People using compromised passwords will be prompted to select a different password during login, registration, or when updating their password. Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” GitHub explains.

GitHub has also improved its two-factor authentication methods. It will now ‘periodically’ remind users to review their two-factor authentication setups and recovery options.

Those recovery options include two-factor authentication codes; fallback numbers; account recovery tokens; and FIDO U2F keys.

“We highly recommend using a 2FA authenticator application that supports cloud backups in the event your phone is lost, stolen, or falls in the ocean,” GitHub adds.

GitHub users who haven’t set up two-factor authentication can access it by going to their account settings and clicking the ‘Security’ tab.

GitHub also recommends the following actions:

1. Update your password a long, unique value that is generated by a password manager. Consider a cloud-synchronised password manager.

2. Use two-factor authentication. Using a TOTP application is more secure than using SMS to deliver codes, but has a higher chance of irrecoverable loss leading to account lockout. Consider a cloud-synchronised application that supports securely backing up your two-factor credentials.

3. Ensure you have a method of recovering your account if you lose access to your two-factor device. Having a hardware U2F key is a secure option. Also, be sure to store your two-factor backup codes somewhere secure like a password manager or a secure physical location. Consider linking your account to Facebook via Recover Accounts Elsewhere.

4. Update your primary email address if necessary and determine if a backup email address is desirable. These settings will determine which email address(es) are allowed to perform a password reset.

5. Review other GitHub credentials. While we remove SSH keys, deploy keys, OAuth authorisations, and personal access tokens that have not been used in a year, it’s always a good idea to manually review them periodically. 6. Consider signing up for HaveIBeenPwned notifications. You do not need to provide a password.

GitHub says its new security improvements are designed to help users balance security, recoverability, and usability of their accounts.

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.