Leading open-source developer community GitHub has taken a couple of big strides in the direction of tighter security and privacy controls by first, stopping the use of all non-essential cookies and second, deciding not to accept passwords to authenticate Git operations from August 2021.
On Tuesday, Matthew Langlois, a security engineer at GitHub, wrote in a blog post that starting August next year, GitHub will no longer require passwords to authenticate Git operations on Guthub.com, a move which, he said, will make it more difficult for hackers to use passwords that have been reused across multiple websites to try to gain access to GitHub accounts.
Instead, GitHub will require “the use of token-based authentication, such as a personal access token (for developers) or an OAuth or GitHub App installation token (for integrators) for all authenticated Git operations on GitHub.com”.
GitHub already allows developers to authenticate Git operations using verified devices and two-factor authentication and also offers WebAuthn support and sign-in alerts to users to help secure their accounts from takeover attempts. However, considering that the use of passwords to authenticate developer accounts is still rampant, the company is now asking users to begin using personal access tokens over HTTPS or SSH keys to authenticate their accounts.
The upcoming change in GitHub’s security policy for account authentication will affect command line Git access, any apps/services that access Git repositories on GitHub.com using user passwords, and desktop applications using Git, except GitHub Desktop. As GitHub Apps do not support password authentication, app users will not be required to make any changes to the way they log in to their accounts.
According to Langlois, token-based authentication offers a number of security benefits over password-based authentication. These include:
- Unique – tokens are specific to GitHub and can be generated per use or per device
- Revocable – tokens can be individually revoked at any time without needing to update unaffected credentials
- Limited – tokens can be narrowly scoped to allow only the access necessary for the use case
- Random – tokens are not subject to the types of dictionary or brute force attempts that simpler passwords that you need to remember or enter regularly might be
He added that to ensure all affected customers are aware of the authentication change, GitHub will temporarily disable support for password authentication during two planned brownouts- one on 30th June and the other on 28th July, 2021. During these periods, users will not be able to authenticate Git operations with passwords and will, therefore, be ready when the changes are implemented permanently come August.
In another blog post, GitHub CEO Nat Friedman said the website is no longer displaying cookie banners to visitors as they have decided not to use non-essential cookies that are mostly used by third-party analytics, tracking, and advertising services to track the behaviour of Internet users.
“EU law requires you to use cookie banners if your website contains cookies that are not required for it to work. Common examples of such cookies are those used by third-party analytics, tracking, and advertising services. These services collect information about people’s behavior across the web, store it in their databases, and can use it to serve personalised ads.
“At GitHub, we want to protect developer privacy, and we find cookie banners quite irritating, so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really. 🤔
“So, we have removed all non-essential cookies from GitHub, and visiting our website does not send any information to third-party analytics services. (And of course, GitHub still does not use any cookies to display ads, or track you across other sites.),” Friedman said.