Removing Git password auth is a major security vulnerability

As NPM has shown us all having a token on our machines can be a major security vulnerability to the platform. And further I now have to put this authentication token or my ssh private key (both of which should be private things) onto some shared severs and machines in order to be able to push changes from them. In the blog post there was zero reasons given for the decision apart from them saying it will have minimal impact on automated build systems and people who use other Microsoft products (VSCode, GitHub Desktop, etc.).

It seems Microsoft has made it intentionally difficult to provide feedback on their blog posts and I’ve seen nothing but negative responses to this decision on twitter so from this experience it seems to me that Microsoft really does not care about the GitHub community. Genuinely considering moving to one of the many other git hosting websites that actually cares about it’s users.

Using a authentication token generated by github might be painless for automated systems but for normal humans it’s a lot of steps to do something as simple as log in, especially when nearly every other platform treats it’s users like humans, allowing them to simply log in as needed

I believe that the whole idea of enforcing a PAT for Git operations credentials was to protect user accounts from man in the middle attacks, i.e. in the worst case scenario a hacker would only be able to steel your PAT but not your GitHub login credentials, which would have far more disastrous consequences — e.g. while you can still access your account it’s easy to revoke a PAT and create a new one. Also, logging into the GH account has been made more secure via 2FA and other security measures.

The PAT requirement only affects Git operations via HTTPS, which isn’t exactly the recommended Git protocol either — SSH being better, which requires an SSH key, which when you think about it doesn’t make the need for a PAT so odd either.

I believe that these security measures are also dictated by governments requiring online services to enforce increasingly stronger security measures, to protect the public in general, as well as online services. So wherever you’ll turn, chances are that similar changes in security policies will also apply there, sooner or later.

1 Like