GitHub accounts with feeble passwords fall to brute force attack

GitHub user? Now would be a good time to set up two-factor authentication.

Read this

Just how bad are the top 100 passwords from the Adobe hack? (Hint: think really, really bad)

A new analysis of Adobe user passwords leaked after its hack last month reveals yet again that most people prefer avoid complexity when it comes to passwords.

Read More

Popular software hosting service GitHub has urged users to set up two-factor authentication after an automated password-guessing attack compromised some accounts with weak passwords.

With massive password leaks appearing nearly weekly and reusing the same across passwords across multiple accounts still common practice, automated password attacks are one good reason to set up an extra layer of authentication for crucial online services. Apple , DropBox , Google , Twitter , Facebook and Microsoft have all rolled out two-factor authentication over the past year.

GitHub has sent out emails to users with weak passwords whose accounts were compromised in a password-guessing attack on its authentication system that was launched from around 40,000 unique IP addresses.

The IP addresses were used to "slowly brute force weak passwords or passwords used on multiple sites", according to a blogpost by GitHub security manager Shawn Davenport today.

GitHub has reset passwords on compromised accounts and is telling those affected to create a new, stronger password. It's also revoked personal access tokens, OAuth authorisations, and SSH keys on the affected accounts. 

GitHub has even reset some user accounts with strong passwords after detecting logins on the accounts from IPs that were used in the attack, Davenport said.

Those with strong passwords or with TFA enabled would have been able to see failed login attempts on its authentication login page, such as the dozens of GitHub users who have over the past 48 hours reported attempts on user accounts from IP addresses in China, Indonesia, Ecuador, Venezuela, and elsewhere.

The failed login attempts are logged in the Security History page provided by GitHub, which, as GitHub noted in a brief alert today, is accessible to users with a strong password and its two-factor authentication enabled.

Further reading