Change your github password
 

Warning to GITHUB users, Please reset your passwords now! Use best possible strong password. Recently many #Github accounts (with weak password) were compromised in a massive brute force attack from 40,000 IP addresses. DETAILS:
https://plus.google.com/112788764123...ts/JwDhf1JffWs

Affected users have had their passwords reset, but it's a good idea to change your password anyway.

I can see several failed login attempts on my GitHub account over the past couple of days, from Venezuela, China and Mexico.

Well if you use weak passwords then you deserve it. A good password should not be able to be bruteforced over a year on an average PC.

Better link:
https://github.com/blog/1698-weak-pa...s-brute-forced

No thanks on clicking through some annoying Google+ page just to get to some two-bit "social news" site's crappy page full of ads that spams me with a giant modal popup begging me to like them on Facebook, ugh. ಠ_ಠ

Anyway, GitHub says they sent out emails to the affected users, but with such an enormous breach, I'd rather they sent emails to all users. I didn't get an email, so apparently I wasn't "affected", but I changed my password anyway. Admittedly my GitHub password was pretty weak (same old easy-to-remember password I use for a bunch of random accounts that contains no personal info and nothing important) but apparently a short, all-lowercase-letters password that isn't a dictionary word was still "strong enough", lol.

While true I chose to link the source I got the information from to honour the act of sharing ;)

Github's advise: http://xkcd.com/936/

I always thought that was some flawed logic. It's not 44 bits of entropy when you're using a dictionary attack that checks for combinations of 3-5 existing words.

My passwords are usually based on phrases that are easy to remember depending on what the password is for, and then abbreviated, with some letters replaces by numbers, or uppercase/lowercase. It's not that difficult to remember.

Haleth but rainrider is correct. Don't make yourself a password that is hard to remember and still to short. Just come up with a funny phrase and build in some twists. If you add upper/lower case and punctuation you are set.

Most of the time passwords are stolen by sniffing, not by guessing.

I read a funny article about security last year that described how the current 256bit keys are secure enough because to compute a key you would need more energy than the sun is possessing.

This is the important part that wasn't mentioned in that comic :D

In before battle.net passwords...

https://help.github.com/articles/wha...trong-password That's github's opinion on the matter :)

What about those personal password managers? I took a look at LastPass site and stopped looking after I came to know that I must set one master password and after that I could use their manager on all the devices I own. So they save all my passwords somewhere. How secure is that somewhere? Where is it? How secure is the app itself? Why do they give it to me for free? :)

If I were to use a password manager I'd most definitely use an open source one.

Nothing like peer review in security matters.
Example: KeePass

I love KeePass!

I use PasswordSafe. Its storage is strictly local, it's open source, and it was originally written by Bruce Schneier. It's a Windows app, but there are also ports for many other platforms including Android and iOS. If you want to use it on multiple machines, either put your password file on a USB stick, or sync it; I now use SpiderOak for syncing due to their strong encryption and zero-knowledge policies (basically, everything is encrypted locally before it's uploaded, so they have no way to even know what you're uploading).

Since switching to this system, my passwords are all (well, at least the ones I've gotten around to changing) very long strings of random characters. I still let my browser remember passwords at home, though, because (a) I'm lazy, and (b) if someone has physical access to my computer there are far more embarrassing/incriminating things for them to get into than my GitHub account, and (c) if the NSA wants to look at my email or bank account, they don't need my password anyway.

Ok. Seriously, now. Am I actually supposed to believe that Phanx is an actual human being?

Yes, yes, I know I "met her" at BlizzCon, but really...I wasn't fooled. That person was simply an agent.

I dont store my passwords in a program (other than my browser). I dont even remember most of them.
I use the email-Login all services offer ;) (aka "Password forgotten")

I can neither confirm nor deny the veracity of this assertion.

I am assuming she looks as she sounds, strict and sweet :) (Yes that comes out slightly wrong, it's not meant that way)

Why do you trust SpiderOak for not saving your password? The client that generates it is closed source so no way to know it for sure.

(1) My password file from PasswordSafe is encrypted already, so even if SpiderOak is lying to me, they can't access my passwords. If they really want to spy on my recipe collection or my user stylesheets, which aren't independently encrypted, well... knock yourselves out, guys. Grab some beers, hire some strippers, lay down some lines of coke, and have a wild party while you read all about how I reskinned Amazon and Duolingo. Oh yeah, baby, check out dat readable font size and dem colors!

(2) I'm more inclined to trust SpiderOak with my data than Dropbox etc. who do not encrypt my files at all, and who have explicitly stated they have full access to the content of my files ("but only a few special people, and we won't look unless someone with a warrant tells us to"). The SpiderOak app as a whole isn't open-source (yet) but many of its components are. If the whole thing is a sham, they've gone through a lot of trouble to write a lot of code they're not even using. While it's possible, I don't think it's very likely, and it doesn't seem like it would be worth the effort for them. Anyone uploading sensitive data to the cloud should be encrypting it independently anyway.

(3) I'm not a FOSS nut. I use plenty of closed-source software, and I bet you do too. I choose software primarily based on the features it offers, not on whether I can read the source code. If there are two options that will satisfy my needs, and one is closed-source while the other is open-source, I'm more inclined to choose the open-source option (with that inclination growing stronger as the amount of sensitive data stored by the app increases), but I don't go through life assuming everyone who writes a useful app is out to get me. And let's be honest here -- who actually reads through the source code of every (or even any) open-source program they use?