Application security, Supply chain, Supply chain

GitHub ditches passwords for Git operations

Two members of the cybersecurity community have developed a new open-source search tool that’s designed to help cybersecurity professionals navigate an increasingly cumbersome list of software products affected by the Log4J vulnerability. (Photo Source: Creative Commons)

GitHub has finally GitSnubbed passwords for Git authentication.

"In December, we announced that beginning August 13, 2021, GitHub will no longer accept account passwords when authenticating Git operations and will require the use of strong authentication factors, such as a personal access token, SSH keys (for developers), or an OAuth or GitHub App installation token (for integrators) for all authenticated Git operations on GitHub.com," wrote Chief Security Officer Mike Hanley in a blog Monday.

"With the August 13 sunset date behind us, we no longer accept password authentication for Git operations."

The move will add additional security to the platform soon after another code repository — PyPi for the Python language — demonstrated some of the hazards for software supply chain risk just a few weeks ago. In that case, malicious look-alike packages were uploaded to the site. When deployed, they stole credit card information.

Hanley's blog discusses additional two-factor options for the site, ranging from physical keys to time-based one-time passwords. Hanley notes that SMS message authentication is still an option, but notes standards groups advise against it as a SIM-swap-vulnerable platform.

The GitHub move is getting good reviews from the company's peers.

In a statement, Mark Risher, senior director of product management for Google's identity and security platforms said "We’re glad to see GitHub moving beyond passwords and opting instead to use strong authentication for secure sign in. Passwords alone are simply no longer enough for sensitive and high-risk activities; they're too difficult to manage and too easy to steal."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.