From the long time that security experts pushed for the password best practices, to ensure a better and strong security of all users’ accounts. However, when users do not have a right routine your accounts may be compromised, especially if their password is the same to authenticate in other services.
The new feature is the result of a partnership with Troy Hunt, the security researcher behind the popular HaveIBeenPwned.com project. With this website is possible to guarantee a better security from the users point-of-privacy by checking their accounts and passwords have appeared in any data breaches.
The GitHub has created an internal tool that uses the millions of records that Hunt made available from download via its service to “validate whether a user’s password has been found in any publicly available sets of breach data.”
The tool has released the last week and warns users when their passwords appear in the Hunt service — basically when it has been compromised in a known data leak.
This tool, or plug-in (as you wish), alert users when they are accessing the sign-up page, during login or even when they are updating their password.
“Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” GitHub explains.
Additionally, users who have 2FA enable will receive frequent warnings to review the 2FA setup and recovery options, revealed GitHub.
Remember that 2FA accounts that have the validation code via SMS can be unreliable — we can look at Reddit data breach in the last week. The right way can be, for example, to configure a token instead of a SMS validation code.
“These new account security enhancements will help improve the security of your account. We hope you will take this opportunity to review the security of your account. Balancing security, usability, and recoverability is a personal decision,” GitHub notes.
GitHub, that will soon become part of Microsoft, has made some security improvements as well, including, for instance, the enforcing of SSL/TLS.
Nonetheless, this did not stop hackers from compromising accounts to spread malicious code, as was the case with the recent Gentoo incident.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.