To provide this functionality, Github collaborates with the popular site ‘HaveIBeenPwned’. HIBP is popularly for letting users check compromised passwords. The website put up their entire database of 517 million compromised passwords in downloadable form. Github, using this data, has created an ‘internal’ feature to validate user’s passwords.
As explained by Github,
“People using compromised passwords will be prompted to select a different password during login, registration, or when updating their password. Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us.”
“We highly recommend using a 2FA authenticator application that supports cloud backups in the event your phone is lost, stolen, or falls in the ocean.”Users can set up two-factor authentication for their Github accounts through the “Security” tab in account settings.
Moreover, Github has recommended the users to use a password manager for setting up unique and strong passwords and to use a hardware security key for added account security. Besides, they also suggest periodically reviewing Github credentials, and to sign up for HIBP.
The data file contains passwords in hashed forms to protect the original value, followed by the number of times that password appeared in the sourced data breaches. As described on the HIBP website,
“The list may be integrated into other systems and used to verify whether a password has previously appeared in a data breach after which a system may warn the user or even block the password outright.”Let us know your views about this security feature in the comment section below.
