GitHub's new anti-hacker measures: abandoning account and password authentication for Git operations and using tokens or SSH keys instead, to be implemented at 0:00 tonight

Xiaoxiao sent from Aofei Temple
Quantum Bit Report | Public Account QbitAI

Still using account+password to authenticate Git operations on GitHub?

Hurry up and save the entire token or SSH key!

Starting at 00:00 on August 14 (9:00 PST on August 13) , Git operations on GitHub will fail.

GitHub officials said that this move is to improve the security of Git operations and prevent password collisions and other incidents.

What operations are affected?

In short, if you are still using your account and password to authenticate Git operations, these actions will be affected:

• Command-line Git access

• Desktop applications using Git (GitHub Desktop is not affected)

• All applications/services that use Git repo on GitHub with account and password

These users will not be affected:

• Users who have already used token or SSH key authentication, i.e. enabled two-factor authentication (2FA)

• Users of the GitHub Enterprise Server on-premises product (this has not changed for the product yet)

• GitHub App users no longer support account and password verification

Of course, most people who use Git regularly should already know this.

GitHub has already conducted rehearsals for this incident on June 30 (15:00-18: 00 ) , July 1 (00:00-30:00) , July 28 (15:00-18:00) , and July 29 (00:00-30:00) of this year, and all Git operations are required to be authenticated with tokens or SSH keys.

Now, the move has become permanent .

Why on earth would GitHub do this?

Where are tokens and SSH keys safe?

First of all, you need to understand the hidden dangers of using only account and password for identity authentication.

On the Internet, a large number of websites are attacked by hackers every day, resulting in data leakage, which includes many users' account passwords.

After obtaining the account password, the hacker will use it to try to log in to other websites, which is called password collision .

Simply put, if you use the same set of account passwords for websites ABC, once the password for website A is leaked, the account for website BC may also be hacked.

In order to prevent password collisions, websites will take more measures to verify identity information. For example, GitHub has launched two-factor authentication, login alerts, device authentication, protection against leaked passwords, and support for WebAuth.

Two-factor authentication refers to the process of using two factors for authentication at the same time among secret information (password, etc.) , personal items (ID card, etc.) , and physiological characteristics (fingerprint/iris/face, etc.) .

Now, GitHub begins to force users to use tokens or SSH keys for authentication. Compared with account passwords, these two are obviously more secure:

• Uniqueness: Only used by GitHub, generated based on device/number of uses

• Revocability: Can be revoked individually at any time without affecting other credentials

• Regional: The scope of use is controllable and can only be executed in certain access activities

• Randomness: Not affected by database collision, more complex than account password

So, between token and SSH key, which one is more suitable?

Although GitHub currently officially recommends tokens because they are easier to set up, SSH keys are more secure in comparison.

Git users who haven't set up a token or SSH key yet can follow the official tutorial to get started.

GitHub setup tutorial:
[1]https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token
[2]https://docs.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent

Reference links:
[1]https://github.blog/changelog/2021-08-12-git-password-authentication-is-shutting-down/
[2]https://www.theregister.com/2021/08/12/git_proxyshell_gigabyte/