One half year after my complaining about the new overzealous account security measures with double verification process and today I get hit with the message:

The password you provided is in a list of passwords commonly used on other websites. To increase your security, you must update your password. After July 28, 2020 we will automatically reset your password.

Where do you get this information?

Can you please just back off? How do you know where I have used this password and if you know where I have used it, what tool have you used to hack into my stored passwords?

I just checked this password against several compromised lists and it has never been used before and compromised, so how do you know that the password has been previously used?

Even my bank accounts with my IRA, savings and checking accounts are not as overzealous as Github. Who is driving all this unnecessary work for Github users and why are you overstepping the security requirements of even major financial institutions and money processing organizations?

Way, way, way out of hand. I’ve complained about this before and gotten a long list of why it’s needed. Bottom line, however, is that financial institutions find a way to implement security without all this, so why can’t you as well instead of asking everyone to go through near a “new high-financed loan approval” procedure to simply log into their GitHub account?

I appreciate the facility but perhaps management could look at assigning this new massive security push to work instead in areas like improving the layout and flow and implementing consistency rather than everyone dog-piling on a new security measure every few months. Thanks.

Hi there! Welcome to the Community!

I’m sorry you’re frustrated with our security measures. Sorry for the delay, but I wanted to take my time explaining this. We know people get frustrated.

While the password you have at present may meet the listed requirements, the system also runs a check when you provide your password (during sign in, or sudo access). The check compares a one-way hash of that password against our internal database of credentials known to be compromised by breaches of other websites or services.

The weak password message you received indicates that the password you have entered was used by someone (not necessarily yourself) on a website that was compromised, which means it’s on lists used by malicious actors in their automated takeover attempts.

I do understand your frustration, but there are extra considerations compared to your bank, for instance. First, we don’t require real world information to create a GitHub account. There are several scenarios where a takeover could lead to a total loss of the account and that is something we obviously want to avoid. We can’t take a driving licence as proof because don’t collect real world identity information from you. Banks collect an enormous amount of real world data they can use in the event of a breach. Additionally, while a compromised bank account is a headache for you, a compromised GitHub account is a headache for you, and for anyone who grants you organisation membership, or allows you to collaborate on their projects.

And this is not a minor concern, but successful account takeovers generate an enormous amount of work for our security, support, and legal teams. We don’t have the ability to expand this exponentially as people get better and better at breaking into accounts, so we have to constantly get better at preventing them.

I hope this explanation lessens your annoyance somewhat. We do try our best to balance usability and security, and allowing people to use passwords that we know are used by malicious actors would be negligent.

I’m curious and have checked the password with haveibeenpwned but it does not show up there.

Would you care to explain further about your

internal database of credentials known to be compromised by breaches

and what it comprises of?

It kind of unnerves me that your password hash DB is more comprehensive than HIBPs - or is it a false positive?

Best regards

Welcome!

You’re right! We don’t use Have I Been Pwned as a single source of truth, although it’s a nice accessible product for individuals to quickly check for themselves. There are further lists available with commonly used enterprise and commercially available software as well. We use the very best products we can to ensure the best possible security for all our users.

The weak password message you received indicates that the password you have entered was used by someone (not necessarily yourself) on a website that was compromised, which means it’s on lists used by malicious actors in their automated takeover attempts.

I just checked my GitHub password on https://haveibeenpwned.com/Passwords and it has not been pwned so please give us access to this list of passwords. I already have 2FA enabled so it is not your business if I use a particular password for GitHub.

Also to reiterate, 2FA circumvents any issue of using a “common” password since a person would need to put in an authentication code after login. Actually overkill.

“Best” security would be to always use a OTP so you’re wrong there. Why don’t you ask Google how to implement security because their email service has the best security and doesn’t do this horrible password monitoring.

I was just hit with this too. Please back off github.

Please, for the sake of transparency, tell us how on Earth you are detecting these passwords! If it isn’t on HIBP then where is it? There is no reasonable way that you could have found my password in a breach if the multiple websites dedicated to this very purpose have not. Again, for the sake of transparency and the FOSS community, tell us what you used to find these passwords, since it could represent a very real issue with security if you were able to find a password in a matter of minutes from an internal list. Who knows what could be done with that kind of information?

This is soo wrong . Please tell your users where did you find the password. I have checked many popular websites but I did not find any indications of my password being compromised.

We are still waiting for an explanation

The point is a lot of people don’t store anything too valuable on GitHub and are just using it as a backup for a current hobby project. With this said, can there be an “If I’m hacked, don’t do anything, I agree to lose my data, there’s nothing important there anyway” option instead of having a unique password specifically for GitHub?

I would also like to know where to find these lists of breached password, because HIBP doesn’t detect any breach for me, but you do.

Hi all.

We do see your replies, and we understand that some people will disagree with our policies, but I’ll try and explain further, in case that helps.

GitHub uses both open and private paid sources of breach data in order to protect customer accounts. We don’t typically name our vendors and in some cases we are actually precluded from doing so by contract. The exception, of course, is where we share customer data with a vendor, and that isn’t the case here.

We have two different responses to any matching credentials:

1. If there is a direct match - ie, your exact email and your password are present in a breach - then we force a password reset. You won’t be able to use your account again until you have reset your password. A direct match presents a high risk to the security of your GitHub account, and by extension, any GitHub repositories or organisations you have access to.

2. If there is an indirect match - ie, your password has been in a breach, but not necessarily your exact email address - we then warn about a weak password, and give you a window of time in which to change it. This is a lower risk scenario, but still a risk.

We’re aware that we do take a conservative approach here, and that is constantly under review. We understand that some people would prefer to be a little more relaxed about security themselves, but again, account takeovers create a substantial workload for us, and at present, an opt-out function is not an option.

I’m sorry we can’t tailor things more individually just yet but please be assured we are constantly reevaluating our security measures, and where we can better balance security and usability, we will do our best to improve!

@canuckjacq Thanks for the patient explanation. I found this thread after receiving the same warning today, and I’m not surprised it’s raised some concern.

Note that the wording in the email was that my password is in

a list of passwords commonly used on other websites

not that my password “has been in a breach”, as you explain. The right thing to do here is to either

A. Change the language in the warning to state that the password was used in a breach, or

B. Recognize that checking against “commonly used” passwords is not yet a common practice and can be alarming to users, particularly in the open-source community who may mistrust Microsoft’s practices. I would suggest including a link along with the message, pointing to details and a justification.

In the mean time, I don’t think external companies are sharing password hashes unless there is a real breach, which leads me to believe that the database in question is an internal database assembled from websites owned by Microsoft and its subsidiary companies.

I changed my password many times , that alert is still there this is so annoying what to do ?

Just curious why my old password that was exclusive to GitHub was called out for not being secure, while a simple joke password like WhenTheImposterIsSus isn’t in your database. I wasn’t even cherry-picking, this was the first password that came to mind. Obviously I didn’t use it, but it’s insane that something so obvious isn’t on the list while my old password was.

image497×616 18.3 KB

I think I know what’s going on here. Perhaps GitHub’s login process is passing the user-provided [plain-text] password through their normal “minimum password requirements” rules. If the password doesn’t meet the requirements, they are generically throwing this “common password” message. They are basically retro-actively enforcing password strength rules on existing passwords. The message is ambiguous enough to scare people into making stronger passwords, and they don’t give you a choice except to change it.

The only other thing I can think of is they are using an extremely weak hash to match passwords with, and collisions are happening. But that seems too ludicrous to even be fathomable.

@canuckjacq is there any guarantee or policy regarding who the vendor sells to that may make the community feel better? i.e not anything specific but can you state if the vendors sell or give this information to only trusted and legit organizations like GitHub and not just sells the data to anyone with money?

WhenTheImposterIsSus isn’t actually that easy a password for automated password crackers to break. Secure passwords don’t have to just be composed of random strings of upper and lower case characters, numbers and symbols. They can be short English sentences or even two or three English words that aren’t commonly put together, like teachcakedill. The odds of someone either manually or even programmatically guessing WhenTheImposterIsSus are pretty low, so it makes sense GitHub’s algorithm would accept it.

Checking against “commonly used” passwords is a common enough practice. The practice itself might not be being implemented by a lot of websites, but that’s definitely one tool any security expert has in their toolkit. Why do you think if you searched for something like the top 10 most commonly used passwords and compare over several years, the same or similar passwords keep showing up?

Also, while I think changing the wording on the surface might make sense, I could see it causing more replies like we have in this thread of the type, “I don’t see my password breached on haveibeenpwned”. For me, wording like, “it’s a commonly used password” is more generic. Because, as some have said on here, their passwords haven’t been breached (or, at least, not been in a breach recognized by haveibeenpwned).

For anyone in the future reading this, or for any of those who already replied like a year ago but care to still check the new replies, I’d like to chime in with my two cents:

Firstly, HIBP isn’t the be-all-and-end-all of passwords that have been breached. Even on HIBP, there are times where they list a breach but have no idea of what information was specifically hacked, because it depends on if the site/company that was hacked has determined that information and/or shared it. HIBP also isn’t the final word in black market password lists floating around in the dark web. So, while checking on there is a great tool to have in your arsenal, it’s just one tool

Secondly, from reading everything on here, it seems to me that whatever checks GitHub is now using to determine “weak passwords”, it’s not just seeing if your password (or, more specifically the hash of your password) was found in a breach. It seems that the checks also involve some internal list of commonly used passwords or password-parts. That is, if a commonly used password that is easily hackable is “hello123” and your password is “hello1234”, while technically your password may not be in that list, it’s still easily hackable.

Thirdly, the lists that everyone is demanding are accessible from pretty much any reputable security company - the ones that also check for and report potential vulnerabilities in Windows, etc. This isn’t about FOSS vs Microsoft or the security industry. This is plain and simple about GitHub, a service that you are using but aren’t entitled to use, deciding to implement stronger measures to protect their customers, their data and help ease potential future workload for them as a company.

Lastly, for those calling these measures draconian, look up what that word really means. Draconian would be something like GH requiring us to pass through 4 or 5 levels of authentication before even accessing the small part of our account. What GitHub has done also isn’t overkill! While it’s true that OTP is some ways negates the need to worry as much about the strength of one’s password, it isn’t a foolproof method. Even within 2FA methodologies, using an authenticator app is more secure than sending an OTP by text. But, overall, using a password and an OTP is still just using only 2 of the trifecta of security methodologies - something you know, something you own/have, something you are (i.e., your fingerprint or iris scan). Implementing all 3 of those things would, in my opinion, be overkill.