Using HTTP access tokens reduces security

Github tries to force users to use HTTP access tokens instead of user/password. As nobody can remember the token it will end up at clear text on the computer for any malware to pick up.

SSH seems to be a wiser choice as the private key can be password protected.

But as long as user can log into the GitHub web frontend security is not improved at all.

So the whole change seems to be superfluous.

I personally prefer SSH anyway, but the problem of remembering tokens can be easily solved with a password manager. I suspect most people can’t remember different, strong passwords for all sites they use, so that’s a good idea anyway. :wink:

On the other hand if a token is stolen, at least the scope is more limited than for a password.

1 Like