Story image

GitHub security tool checks passwords against 517m breached credentials

06 Aug 18

Web development and coding platform GitHub has rolled out password and two-factor authentication revamps to make user accounts more secure – thanks to the popular password checking site HaveIBeenPwned.com.

GitHub’s new password security feature works by checking to see if a particular password has already been compromised in a breach.

Security expert Troy Hunt created HaveIBeenPwned.com, a website that allows people to see if their emails and passwords have been involved in a data breach.  Hunt also created a dataset of around 517 million compromised passwords and made these publicly available on the website.

GitHub used that dataset to create an internal version of the service, which means it can check if a user’s password has been found in any publicly available sets of breach data.

“People using compromised passwords will be prompted to select a different password during login, registration, or when updating their password. Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” GitHub explains.

GitHub has also improved its two-factor authentication methods. It will now ‘periodically’ remind users to review their two-factor authentication setups and recovery options.

Those recovery options include two-factor authentication codes; fallback numbers; account recovery tokens; and FIDO U2F keys.

“We highly recommend using a 2FA authenticator application that supports cloud backups in the event your phone is lost, stolen, or falls in the ocean,” GitHub adds.

GitHub users who haven’t set up two-factor authentication can access it by going to their account settings and clicking the ‘Security’ tab.

GitHub also recommends the following actions:

1. Update your password a long, unique value that is generated by a password manager. Consider a cloud-synchronised password manager.

2. Use two-factor authentication. Using a TOTP application is more secure than using SMS to deliver codes, but has a higher chance of irrecoverable loss leading to account lockout. Consider a cloud-synchronised application that supports securely backing up your two-factor credentials.

3. Ensure you have a method of recovering your account if you lose access to your two-factor device. Having a hardware U2F key is a secure option. Also, be sure to store your two-factor backup codes somewhere secure like a password manager or a secure physical location. Consider linking your account to Facebook via Recover Accounts Elsewhere.

4. Update your primary email address if necessary and determine if a backup email address is desirable. These settings will determine which email address(es) are allowed to perform a password reset.

5. Review other GitHub credentials. While we remove SSH keys, deploy keys, OAuth authorisations, and personal access tokens that have not been used in a year, it’s always a good idea to manually review them periodically. 6. Consider signing up for HaveIBeenPwned notifications. You do not need to provide a password.

GitHub says its new security improvements are designed to help users balance security, recoverability, and usability of their accounts.

52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
GirlBoss wins 2018 YES Emerging Alumni of the Year Award
The people have spoken – GirlBoss CEO and founder Alexia Hilbertidou has been crowned this year’s Young Enterprise Scheme (YES) Emerging Alumni of the Year.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.
IDC: Standalone VR headset shipments grow 428.6% in 3Q18
The VR headset market returned to growth in 3Q18 after four consecutive quarters of decline and now makes up 97% of the combined market.
Spark Lab launches free cybersecurity tool for SMBs
Spark Lab has launched a new tool that it hopes will help New Zealand’s small businesses understand their cybersecurity risks.
Preparing for the future of work – growing big ideas from small spaces
We’ve all seen it: our offices are changing from the traditional four walls - to no walls. A need to reduce real estate costs is a key driver, as is enabling a more diverse and agile workforce.
Bluetooth-enabled traps could spell the end for NZ's pests
A Wellington conservation tech company has come up with a way of using Bluetooth to help capture pests like rats and stoats.
CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."