How to depreciate Github, step 1, reduce security with enforced SSH tokens

The point of SSH tokens is to generate them on the fly, by forcing us to store them just so we can copy paste them so we can upload our own code you create a security risk whereby if somehow our computers were to be hacked those supposedly secure tokens could then be copied and used to lock us out or at the very least create unnecessary problems. With a simple password all we had to do was remember it, if someone can’t do that then they should pass their code onto a member of their team who can, congratulations Github you lost me as a user, I’m moving to Gitlab where I don’t get forced to use SSH tokens, I’m perfectly capable of setting a secure password and remembering my it. My account will remain open here for the sole purpose of directing anyone who found the old links to the right place

Hi, and thank you for your honest feedback.

While I can understand your reluctance to store a personal access token (PAT) or SSH key on your computer, the switch to these was made explicitly so that if stored credentials are compromised, they can be revoked by a user who can still access their account since those keys won’t allow an attacker to make account-level changes.

If a malicious actor gets your personal access token that is scoped for write access to your repositories, they can see your code and push, but as soon as you’ve realised that’s happened, you can revoke that token, create a new one, and be back to working securely in a couple minutes.

Unfortunately, passwords grant access to entire accounts if there is no 2FA set up so the outcome of a breached account with a compromised password is much, much more likely to be poor.

If it helps, you shouldn’t need to copy and paste your authentication token often at all if you’re using a trusted device.

1 Like

If a coder can’t keep their password in their head then they shouldn’t be in the coding business. Also that trusted device crap is nonsense because I have to copy that damn key every time on my pc. Either way you’ve fully lost me as a user, I’ve already imported everything to gitlab and am doing my uploads there instead