New draconian account requirements & monitoring

One half year after my complaining about the new overzealous account security measures with double verification process and today I get hit with the message:

The password you provided is in a list of passwords commonly used on other websites. To increase your security, you must update your password. After July 28, 2020 we will automatically reset your password.

Where do you get this information?

Can you please just back off? How do you know where I have used this password and if you know where I have used it, what tool have you used to hack into my stored passwords?

I just checked this password against several compromised lists and it has never been used before and compromised, so how do you know that the password has been previously used?

Even my bank accounts with my IRA, savings and checking accounts are not as overzealous as Github. Who is driving all this unnecessary work for Github users and why are you overstepping the security requirements of even major financial institutions and money processing organizations?

Way, way, way out of hand. I’ve complained about this before and gotten a long list of why it’s needed. Bottom line, however, is that financial institutions find a way to implement security without all this, so why can’t you as well instead of asking everyone to go through near a “new high-financed loan approval” procedure to simply log into their GitHub account?

I appreciate the facility but perhaps management could look at assigning this new massive security push to work instead in areas like improving the layout and flow and implementing consistency rather than everyone dog-piling on a new security measure every few months. Thanks.

Hi there! Welcome to the Community!

I’m sorry you’re frustrated with our security measures. Sorry for the delay, but I wanted to take my time explaining this. We know people get frustrated.

While the password you have at present may meet the listed requirements, the system also runs a check when you provide your password (during sign in, or sudo access). The check compares a one-way hash of that password against our internal database of credentials known to be compromised by breaches of other websites or services.

The weak password message you received indicates that the password you have entered was used by someone (not necessarily yourself) on a website that was compromised, which means it’s on lists used by malicious actors in their automated takeover attempts.

I do understand your frustration, but there are extra considerations compared to your bank, for instance. First, we don’t require real world information to create a GitHub account. There are several scenarios where a takeover could lead to a total loss of the account and that is something we obviously want to avoid. We can’t take a driving licence as proof because don’t collect real world identity information from you. Banks collect an enormous amount of real world data they can use in the event of a breach. Additionally, while a compromised bank account is a headache for you, a compromised GitHub account is a headache for you, and for anyone who grants you organisation membership, or allows you to collaborate on their projects.

And this is not a minor concern, but successful account takeovers generate an enormous amount of work for our security, support, and legal teams. We don’t have the ability to expand this exponentially as people get better and better at breaking into accounts, so we have to constantly get better at preventing them.

I hope this explanation lessens your annoyance somewhat. We do try our best to balance usability and security, and allowing people to use passwords that we know are used by malicious actors would be negligent.

I’m curious and have checked the password with haveibeenpwned but it does not show up there.

Would you care to explain further about your

internal database of credentials known to be compromised by breaches

and what it comprises of?

It kind of unnerves me that your password hash DB is more comprehensive than HIBPs - or is it a false positive?

Best regards

Welcome!

You’re right! We don’t use Have I Been Pwned as a single source of truth, although it’s a nice accessible product for individuals to quickly check for themselves. There are further lists available with commonly used enterprise and commercially available software as well. We use the very best products we can to ensure the best possible security for all our users.

The weak password message you received indicates that the password you have entered was used by someone (not necessarily yourself) on a website that was compromised, which means it’s on lists used by malicious actors in their automated takeover attempts.

I just checked my GitHub password on https://haveibeenpwned.com/Passwords and it has not been pwned so please give us access to this list of passwords. I already have 2FA enabled so it is not your business if I use a particular password for GitHub.

Also to reiterate, 2FA circumvents any issue of using a “common” password since a person would need to put in an authentication code after login. Actually overkill.

“Best” security would be to always use a OTP so you’re wrong there. Why don’t you ask Google how to implement security because their email service has the best security and doesn’t do this horrible password monitoring.