back to article Huge horde of droids whacks code box GitHub in password-guess attack

Miscreants have fired up a large army of remote-controlled computers to get around GitHub's login rate-limiting policies, designed to thwart attempts to brute-force guess the passwords for its users' accounts. The bots, most likely unwitting PCs compromised by malware, have attacked the online source-code repository from " …


This topic is closed for new posts.
  1. FrankAlphaXII

    Good advice, but hard to truly heed

    >>Never use the same password and username combination on other sites, no matter how fringe.

    Great advice but most users do not follow it because its a pain in the ass, and quite a number of people don't trust login manager software. Having a billion different usernames and passwords gets very confusing even to the most paranoid user. Having to try 100+ combinations and spend 15 minutes to do something that would otherwise take 10 seconds gets old quick. CorrectHorseBatteryStaple starts looking really good after doing things that way for awhile.

    And I don't know if the author is implying this, but how are GitHub and Adobe fringe? Most people have used or use an Adobe product (though I don't believe you need an account at Adobe to download the piece of crashy garbage that is Flash or if someone absolutely insists on using Adobe Reader when there are plenty of alternatives of varying quality) and quite a number of developers, testers, package maintainers, designers, project managers and technical users use GitHub.

    1. cracked

      Re: Good advice, but hard to truly heed

      While it's obviously not cool to say so, I agree with you. I'm getting a bit fed up of reading it at the bottom of every related article (here and on every other IT based site).

      I also agree that trusting a "password manager" would be roughly as silly as using the same user/pass combo on every site (but not quite so silly).

      I wrote my own little password manager app ... but I appreciate that hosting it (on my NAS) gives potential problems with any holes in my network (router firmware etc).

      I could have remote hosted it, but that seems just as silly as using a third party password manager.

      I have 517 "Accounts" in my system. My quick-stat report tells me only slightly more than 2% are regularly accessed and that nearly 300 haven't been accessed in over 2 years. I would imagine, if I checked, that a large % of those sites no longer exist (yes, I know; but I can't be bothered to write the function to do it)

      My dad has 14 entries in his (pen and paper) "black book" (bless him)

      And so yes, this is another reason to pull the "Stop The Bus" Chord and pay the fine ... No one - without some cool brain altering disease - can remember anymore than a handful of user/pass combinations and I have never seen anyone come up with a way of storing that data in a completely-safe and still-useable manner (maybe my Dad had it right, all along?)

    2. Anonymous Coward
      Anonymous Coward

      Re: Good advice, but hard to truly heed

      Maybe I'm being a bit obtuse, but if the problem is the range of IP addresses being used to attack the db, maybe part of the solution is to allow the user to specify a range of IP addresses from which the login credentials work. Set it when you create the account based on the connection. Allow additional ranges to be added from the known good connection. Even if you use a class B range instead of class C you've narrowed the attack vector tremendously. And when we move to IP6 the filter becomes even more effective. You could allow additional challenge questions in the event the attacker comes from an excluded range for the rare times you are out of your normal range of devices.

      Or maybe we really work on the PGP key exchanges. You login to the site, generate the key and it becomes a part of your login handshaking. Password first, then present your PGP key.

      What we need here is something different, not just longer and more difficult to type passwords.

  2. SVV

    Actually, there are no unhappy SVN users because of this

    GitHub is a completely different source contrgol system to SVN : it has a nice web interface, but SVN integrates very nicely with most development IDEs. The issue and proect planning integration is good though.

    Having said all that, who the hell entrusts their source code to a third party?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Actually, there are no unhappy SVN users because of this

      "GitHub is a completely different source contrgol system to SVN"

      Spoken like a true Git user ;-) ;-)


    2. Pete Spicer

      Re: Actually, there are no unhappy SVN users because of this

      Actually, there are unhappy SVN users because of this because Github provides a compatibility layer to allow use by SVN clients as per

    3. Destroy All Monsters Silver badge

      Re: Actually, there are no unhappy SVN users because of this

      > Having said all that, who the hell entrusts their source code to a third party?

      You do it everyday.

  3. Destroy All Monsters Silver badge
    Thumb Down

    "Hackers have fired up a large army of remote-controlled computers"

    More like lamers.

  4. Anonymous Coward
    Anonymous Coward

    how can I get s list of the botnet's ips

    I'd love to add them to my deny-all rules.

  5. cracked

    Is this "safe"?

    Before I coded my little password manager - replacing my text file - I considered the following system. I am still not quite able to decide why I should not use it; can you help?

    1. When arriving at a "new" site that requires credentials, always create a new email account on my domain for that site (so

    2. Just type as many random (alpha / numeric / symbol) characters as possible into the password field. Copy from that field to the obligatory RetypeYourPassword field.

    3. Make no note of the password I have typed.

    4. File the "welcome" email in a sub-folder dedicated to storing those emails

    5. When/If I go back to the site, use the Forgot Password option.

    5a. If I have forgotten the email address, search my Welcome-Folder for the email

    (If there is another way, rather than a manager or that above; what is it? I thought for a long time but couldn't come up with anything. Has there been an el-Reg poll? I'm not very observant, sometimes)

    1. Anonymous Coward
      Anonymous Coward

      Re: Is this "safe"?

      There hasn't been a Reg poll. If we ran one - what questions would you like us to pose.

      1. Benjol

        Re: Is this "safe"?

        How about:

        Which password management 'system' do you use? (or would you recommend):

        - Same password everywhere

        - External password manager

        - Home-made password manager

        - Pen & paper

        - All different, all memorised

        - I just do 'Forgot password' every time

        - A combination of the above

        - Other (please describe in comments)

      2. cracked

        Re: Is this "safe"?

        Sorry, Drew, I disappeared too quickly.

        But as Benjol put below your question; a poll with a list of what is considered to be the "normal mechanisms" would be a good start.

        If the poll has the usual Comments Section, then anyone with a "fancy way" - not included in the poll choices - can give a few brief details. I guess you may then end up with a second poll with more options?

        I guess one of the issues with it is highlighted in this comments section. Using OpenID where possible and then .... Something else when not. How do you poll that?

        Looking at it that way, I guess a complex questionnaire might tease out more complete answers ... but that's not really what I thought "Round 1" would be good for.

        "Never reuse a username and password combination" - You see it everywhere (not just on here), all the time. We all nod sagely in agreement - making a noise like Lord Melchett when he agrees with something obvious - but just exactly how do we all obey that rule? Do we all have brain disorders that mean we can remember 100 combinations? Do we all use OpenID? And, if we do, what do we do when we can't? Do we all think "Forgot Password" is a good idea? Do we all keep a pen & paper black-book?

        Or, like Lord Melchett; are we all just making the right noises and hoping no one notices we're at least as silly as everyone else? (And I strongly suspect we might well be). Is this a case of "Do as I say ..."?

        So: A poll might at least stimulate a discussion and - though less likely - come up with a couple of "most used methods" that might get us some useable best practice.

        Have a think, Drew; like I say, it won't be a poll that simply gives a direct answer. But it might be a useful starter for ten :-)

    2. Anonymous Coward
      Anonymous Coward

      Re: Is this "safe"?

      The problem I see with this is that you will repeatedly be sending an up to date password over an unencrypted link (email). There is more chance of interception. Not such a problem with those sites that send a password reset link, but that is a pain in itself.

      Having said that...I have used the forgotten password technique before on some sites where I don't care about the account. It's easier than trying to remember a password for more than a year or noting it in a password manager!

  6. Benjol

    That's pretty much what I've started doing, though I don't change email addresses each time.

    (That's for the sites that don't have OpenId, where I just use my One Login to Rule them All)

  7. DropBear

    How about moving to PKE...?

    For the sake of argument - would a system based solely on public key signatures instead of some username / password combination be better or worse? That is assuming of course that the cypher used is considered currently unbreakable, and considering your own machine (that handles your private key) not compromised. Obviously, if someone DID get your private key they'd instantly have access everywhere - but perhaps a single key could be better protected - possibly in a secure hardware token of some sort etc. So - yay / nay?

This topic is closed for new posts.

Other stories you might like