From the long time that security experts pushed for the password best practices, to ensure a better and strong security of all users’ accounts. However, when users do not have a right routine your accounts may be compromised, especially if their password is the same to authenticate in other services.
The new feature is the result of a partnership with Troy Hunt, the security researcher behind the popular HaveIBeenPwned.com project. With this website is possible to guarantee a better security from the users point-of-privacy by checking their accounts and passwords have appeared in any data breaches.
The GitHub has created an internal tool that uses the millions of records that Hunt made available from download via its service to “validate whether a user’s password has been found in any publicly available sets of breach data.”
The tool has released the last week and warns users when their passwords appear in the Hunt service — basically when it has been compromised in a known data leak.
This tool, or plug-in (as you wish), alert users when they are accessing the sign-up page, during login or even when they are updating their password.
“Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” GitHub explains.
Additionally, users who have 2FA enable will receive frequent warnings to review the 2FA setup and recovery options, revealed GitHub.
Remember that 2FA accounts that have the validation code via SMS can be unreliable — we can look at Reddit data breach in the last week. The right way can be, for example, to configure a token instead of a SMS validation code.
“These new account security enhancements will help improve the security of your account. We hope you will take this opportunity to review the security of your account. Balancing security, usability, and recoverability is a personal decision,” GitHub notes.
GitHub, that will soon become part of Microsoft, has made some security improvements as well, including, for instance, the enforcing of SSL/TLS.
Nonetheless, this did not stop hackers from compromising accounts to spread malicious code, as was the case with the recent Gentoo incident.