GitHub hardens defenses in wake of password attack

Collaborative development site bans weak passwords, ups rate-limiting efforts

Fresh off fighting a password-guessing attack powered by 40,0000 unique IP addresses, GitHub is hardening its defenses and rallying users to evaluate their authentication methods.

Github Octocat password hack two-factor authentication
Github's Octocat discovered hackers in its sandbox this week.

The company told users that they would no longer be able to login to GitHub with commonly-used weak passwords. Recent password hacks on other services, including Adobe , have revealed that passwords such as 12345 are still some the most widely used "secrets" for authentication.

Forcing users into stronger authenticatoin methods - namely two-factor - is shaping up to be a trend. Earlier this year, Google said as part of its five-year roadmap it would  force users into two-factor authentication requirements . Earlier this year, Forrester analyst Eve Maler predicted that in the next few years t wo-factor authentication will be unilaterally required by online service providers, and more important, accepted by users.

GitHub, a popular collaborative development site, was forced to reset some user accounts that had weak passwords or passwords that had been re-used across sites. Other accounts that were attacked but not compromised also had their passwords reset.

In accounts that were compromised, GitHub reset passwords and revoked OAuth tokens and SSH keys.

In a recent attack on Buffer, a web service used to schedule social media posts, the company revoked OAuth tokens that hackers had stolen and used to access Facebook and Twitter accounts of Buffer users. That shut down the attack, but it also forced Buffer to change its security architecture and its method for storing tokens.

GitHub did not disclose how many users were affected but the site claims 4.6 million users working across 9.5 million repositories. The number of new users coming to GitHub has been reported to be 10,000 per weekday.

In a blog post, Shawn Davenport of GitHub's engineering team wrote, "This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information."

Meanwhile, users are being instructed to configure new stronger authentication. GitHub defines stronger as two-factor authentication and not re-using a password on other sites. Generally, the company is telling its users to consider passphrases, but if a password is used the recommendation is for 12 or more characters.

Davenport said the company is working on additional rate-limiting measures to thwart the type of brute-force attack that hit the site.

GitHub stores passwords using bcrypt, which can adapt over time to weather ever-strengthening brute-force attacks.