back to article GitHub presses big red password reset button after third-party breach

GitHub has reset the passwords of users targeted in an attack this week that relied on using stolen credentials from a breach at a third party site. The software repository itself has not suffered a breach. Hackers behind the assault were trying to break into the accounts of users who had inadvisedly used the same login …

  1. frank ly

    "... practise good password hygiene and enable two-factor authentication to protect your account ..."

    Shouldn't that be ".. OR enable two-factor authentication ..." ?

  2. Anonymous Coward
    Anonymous Coward

    I don't have a phone, so if companies go phone-as-a-factor authentication only, I guess I'll just not use those companies.

    Also, stop getting hacked you idiots.

  3. JimmyPage

    I don't have a phone

    Not being funny, but what are you doing The Register ?

    Are you *ever* going to get a phone ?

    I can understand Joe Public holding out from having a (I presume you mean) smartphone.

    But a nominal techie ? Surely you should be - to a certain degree - leading your customers. Not following them.

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't have a phone

      I'm not a late adopter of technology as you're making out. I'm just between burners right now.

      Smartphones are bad technology. They're slow and power hungry, impossible to secure, can't be trusted on the LAN. Literally ALL "apps" are both useless and malware. Their slow input, clumsy interfaces, and lack of tactile feedback limits the bandwidth between thought and action.

      I also think you've got it backwards. Choosing not to have a smartphone is a privilege Joe Public can no longer access. Not having one is for elite techies who can arrange other ways of contacting their infrastructure, and don't want or need to be contacted AFK.

      Last weekend I was walking along a beach promenade. A group of young chavettes wearing swimwear had their smartphones tucked into their bikinis. Apparently that's where the smartphone fits into our society.

      1. Bronek Kozicki

        Re: I don't have a phone

        Dude, two-factor authentication does not need a smartphone. The ones I have seen which do rely on phone, use text messages (i.e. SMS), that's technology supported by all mobile phones since previous century.

        1. Anonymous Coward
          Anonymous Coward

          Re: I don't have a phone

          SMS is falling apart. I'll probably block it on my non-smartphone soon because it chokes on those damn iphone/android "special" texts everybody keeps sending me.

      2. Captain DaFt

        Re: I don't have a phone

        "Apparently that's where the smartphone fits into our society."

        Someone on another site had a comment appros of this

        (paraphrased, I can't remember where i read it):

        -Back in the seventies, if the government insisted all citizens carried a tracking device, it would have sparked major protests. Today people spend hundreds to own one, for the convenience of online access.-

    2. Mark 85 Silver badge

      Re: I don't have a phone

      Well, in his defense, I have a phone but seldom carry it as I hate the "leas" effect. I also will never give out that number to any site. Too much hacking, stealing credentials, spam, etc. result. I used to on an old phone but it soon filled with all sorts of what I can only describe as garbage. Not worth it.

      FTR, my current phone is not a smartphone. But still.. giving the masses including so-called "legitimate" companies my number is just imprudent. I'm done being someone's product if I can help it.

  4. Anonymous Coward
    Anonymous Coward

    Github users are technically competent to handle client-side browser certificates.

    The defacto standard of HTML form based passwords has always been a hack. Give browsers a user friendly interface to handle client-side certs, plus synchronisation between a user's devices, and passwords, phone codes, all that bullshit can go away.

    1. streaky

      Browser certs are a joke though. Github supports U2F which has got to be the way forward; I've been using it myself for many months now and it's absolutely rock solid.

  5. Tom 7 Silver badge

    Two factor authentication or lockout as I call it.

    I have one bank account that has two factor authentication - the items they choose for me to remember are either hopelessly insecure or not memorable.

    So I cant get in without a lot of phone calls.

    1. Anonymous Coward

      Re: Two factor authentication or lockout as I call it.

      Just out of interest, what's your mothers maiden name and first pet?

    2. PrivateCitizen

      Re: Two factor authentication or lockout as I call it.

      Two factor is different from two step authentication.

      If they want a user name & password then some form of memorable information, it is stil single factor authentication.

      1. ThomH Silver badge

        Re: Two factor authentication or lockout as I call it.

        Yeah, usually factor one = something you know, factor two = something you have. You need to know your username, password, other identifying information; you need to have a physical USB key, or the correct phone to receive a login code on, or a properly associated token generator. If your bank is like mine then login is one factor but adding a new account payee requires the second factor of a card reader and debit card.

        Multiple pass-phrases is just an attempt to prevent you from using the same password as everywhere else, I'm guessing as I type, and entering the 3rd, 9th and 6th characters is probably a protection against key loggers?

  6. Captain DaFt

    Illusion of security

    Too many people will have one complicated password that they've committed to memory, then use it everywhere.

    One compromised site later, they're wide open to hackers online.

    Better to have simpler passwords (But Not stupidly common ones) unique to each site.

    Much better to use a password manager that stores the encrypted passwords on your own machine. Secure it with a complicated password committed to memory, and keep a hardcopy of all passwords in hardcopy, somewhere safe, just in case something happens to your machine.

    (Learned that last lesson the hard way, when the computer crashed mid backup, and managed to trash the backup as well as itself. Murphy is a bitch!)

  7. DropBear

    I guess I'm simply lucky that all the unimportant sites I access with reused passwords didn't happen to include Github (purely accidentally, that one is entirely unique...)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021