Thread Tools Display Modes
11-22-13, 11:13 AM   #1
Rilgamon
Premium Member
 
Rilgamon's Avatar
Premium Member
AddOn Author - Click to view addons
Join Date: Sep 2009
Posts: 822
Change your github password

Warning to GITHUB users, Please reset your passwords now! Use best possible strong password. Recently many #Github accounts (with weak password) were compromised in a massive brute force attack from 40,000 IP addresses. DETAILS:
https://plus.google.com/112788764123...ts/JwDhf1JffWs
__________________
The cataclysm broke the world ... and the pandas could not fix it!
  Reply With Quote
11-22-13, 11:50 AM   #2
Haleth
This Space For Rent
 
Haleth's Avatar
Featured
Join Date: Sep 2008
Posts: 1,173
Affected users have had their passwords reset, but it's a good idea to change your password anyway.

I can see several failed login attempts on my GitHub account over the past couple of days, from Venezuela, China and Mexico.

Last edited by Haleth : 11-22-13 at 11:52 AM.
  Reply With Quote
11-22-13, 03:02 PM   #3
Resike
A Pyroguard Emberseer
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 1,290
Well if you use weak passwords then you deserve it. A good password should not be able to be bruteforced over a year on an average PC.
  Reply With Quote
11-22-13, 09:31 PM   #4
Phanx
Cat.
 
Phanx's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2006
Posts: 5,617
Better link:
https://github.com/blog/1698-weak-pa...s-brute-forced

No thanks on clicking through some annoying Google+ page just to get to some two-bit "social news" site's crappy page full of ads that spams me with a giant modal popup begging me to like them on Facebook, ugh. ಠ_ಠ

Anyway, GitHub says they sent out emails to the affected users, but with such an enormous breach, I'd rather they sent emails to all users. I didn't get an email, so apparently I wasn't "affected", but I changed my password anyway. Admittedly my GitHub password was pretty weak (same old easy-to-remember password I use for a bunch of random accounts that contains no personal info and nothing important) but apparently a short, all-lowercase-letters password that isn't a dictionary word was still "strong enough", lol.
__________________
Retired author of too many addons.
Message me if you're interested in taking over one of my addons.
Don’t message me about addon bugs or programming questions.

Last edited by Phanx : 11-22-13 at 09:34 PM.
  Reply With Quote
11-23-13, 04:58 AM   #5
Rilgamon
Premium Member
 
Rilgamon's Avatar
Premium Member
AddOn Author - Click to view addons
Join Date: Sep 2009
Posts: 822
Originally Posted by Phanx View Post
No thanks on clicking through some annoying Google+ page
While true I chose to link the source I got the information from to honour the act of sharing
__________________
The cataclysm broke the world ... and the pandas could not fix it!
  Reply With Quote
11-23-13, 07:37 AM   #6
Rainrider
A Firelord
AddOn Author - Click to view addons
Join Date: Nov 2008
Posts: 454
Github's advise: http://xkcd.com/936/
  Reply With Quote
11-23-13, 10:38 AM   #7
Haleth
This Space For Rent
 
Haleth's Avatar
Featured
Join Date: Sep 2008
Posts: 1,173
Originally Posted by Rainrider View Post
Github's advise: http://xkcd.com/936/
I always thought that was some flawed logic. It's not 44 bits of entropy when you're using a dictionary attack that checks for combinations of 3-5 existing words.

My passwords are usually based on phrases that are easy to remember depending on what the password is for, and then abbreviated, with some letters replaces by numbers, or uppercase/lowercase. It's not that difficult to remember.
  Reply With Quote
11-23-13, 10:51 AM   #8
zork
A Pyroguard Emberseer
 
zork's Avatar
AddOn Author - Click to view addons
Join Date: Jul 2008
Posts: 1,740
Haleth but rainrider is correct. Don't make yourself a password that is hard to remember and still to short. Just come up with a funny phrase and build in some twists. If you add upper/lower case and punctuation you are set.

Most of the time passwords are stolen by sniffing, not by guessing.

I read a funny article about security last year that described how the current 256bit keys are secure enough because to compute a key you would need more energy than the sun is possessing.
__________________
| Simple is beautiful.
| WoWI AddOns | GitHub | Zork (WoW)

"I wonder what the non-pathetic people are doing tonight?" - Rajesh Koothrappali (The Big Bang Theory)

Last edited by zork : 11-23-13 at 10:55 AM.
  Reply With Quote
11-23-13, 01:39 PM   #9
Haleth
This Space For Rent
 
Haleth's Avatar
Featured
Join Date: Sep 2008
Posts: 1,173
Originally Posted by zork View Post
If you add upper/lower case and punctuation
This is the important part that wasn't mentioned in that comic
  Reply With Quote
11-23-13, 02:50 PM   #10
Resike
A Pyroguard Emberseer
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 1,290
Originally Posted by Haleth View Post
This is the important part that wasn't mentioned in that comic
In before battle.net passwords...
  Reply With Quote
11-23-13, 09:49 PM   #11
Rainrider
A Firelord
AddOn Author - Click to view addons
Join Date: Nov 2008
Posts: 454
Originally Posted by Haleth View Post
This is the important part that wasn't mentioned in that comic
https://help.github.com/articles/wha...trong-password That's github's opinion on the matter

What about those personal password managers? I took a look at LastPass site and stopped looking after I came to know that I must set one master password and after that I could use their manager on all the devices I own. So they save all my passwords somewhere. How secure is that somewhere? Where is it? How secure is the app itself? Why do they give it to me for free?
  Reply With Quote
11-23-13, 11:47 PM   #12
Dridzt
A Pyroguard Emberseer
 
Dridzt's Avatar
AddOn Author - Click to view addons
Join Date: Nov 2005
Posts: 1,359
If I were to use a password manager I'd most definitely use an open source one.

Nothing like peer review in security matters.
Example: KeePass
  Reply With Quote
11-24-13, 12:13 AM   #13
Cairenn
Credendo Vides
 
Cairenn's Avatar
Premium Member
WoWInterface Admin
Join Date: Mar 2004
Posts: 7,134
I love KeePass!
  Reply With Quote
11-24-13, 01:21 AM   #14
Phanx
Cat.
 
Phanx's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2006
Posts: 5,617
I use PasswordSafe. Its storage is strictly local, it's open source, and it was originally written by Bruce Schneier. It's a Windows app, but there are also ports for many other platforms including Android and iOS. If you want to use it on multiple machines, either put your password file on a USB stick, or sync it; I now use SpiderOak for syncing due to their strong encryption and zero-knowledge policies (basically, everything is encrypted locally before it's uploaded, so they have no way to even know what you're uploading).

Since switching to this system, my passwords are all (well, at least the ones I've gotten around to changing) very long strings of random characters. I still let my browser remember passwords at home, though, because (a) I'm lazy, and (b) if someone has physical access to my computer there are far more embarrassing/incriminating things for them to get into than my GitHub account, and (c) if the NSA wants to look at my email or bank account, they don't need my password anyway.
__________________
Retired author of too many addons.
Message me if you're interested in taking over one of my addons.
Don’t message me about addon bugs or programming questions.
  Reply With Quote
11-24-13, 03:10 AM   #15
Torhal
A Pyroguard Emberseer
 
Torhal's Avatar
AddOn Author - Click to view addons
Join Date: Aug 2008
Posts: 1,196
Originally Posted by Phanx View Post
Since switching to this system, my passwords are all (well, at least the ones I've gotten around to changing) very long strings of random characters. I still let my browser remember passwords at home, though, because (a) I'm lazy, and (b) if someone has physical access to my computer there are far more embarrassing/incriminating things for them to get into than my GitHub account
Ok. Seriously, now. Am I actually supposed to believe that Phanx is an actual human being?

Yes, yes, I know I "met her" at BlizzCon, but really...I wasn't fooled. That person was simply an agent.
__________________
Whenever someone says "pls" because it's shorter than "please", I say "no" because it's shorter than "yes".

Author of NPCScan and many other AddOns.
  Reply With Quote
11-24-13, 03:27 AM   #16
Rilgamon
Premium Member
 
Rilgamon's Avatar
Premium Member
AddOn Author - Click to view addons
Join Date: Sep 2009
Posts: 822
I dont store my passwords in a program (other than my browser). I dont even remember most of them.
I use the email-Login all services offer (aka "Password forgotten")
__________________
The cataclysm broke the world ... and the pandas could not fix it!
  Reply With Quote
11-24-13, 06:28 AM   #17
Phanx
Cat.
 
Phanx's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2006
Posts: 5,617
Originally Posted by Torhal View Post
... Phanx is an actual human being?
I can neither confirm nor deny the veracity of this assertion.
__________________
Retired author of too many addons.
Message me if you're interested in taking over one of my addons.
Don’t message me about addon bugs or programming questions.
  Reply With Quote
11-24-13, 06:52 AM   #18
MoonWitch
A Firelord
AddOn Author - Click to view addons
Join Date: Sep 2007
Posts: 455
Originally Posted by Torhal View Post
Ok. Seriously, now. Am I actually supposed to believe that Phanx is an actual human being?

Yes, yes, I know I "met her" at BlizzCon, but really...I wasn't fooled. That person was simply an agent.
I am assuming she looks as she sounds, strict and sweet (Yes that comes out slightly wrong, it's not meant that way)
  Reply With Quote
11-24-13, 04:31 PM   #19
Rainrider
A Firelord
AddOn Author - Click to view addons
Join Date: Nov 2008
Posts: 454
Originally Posted by Phanx View Post
I use PasswordSafe. Its storage is strictly local, it's open source, and it was originally written by Bruce Schneier. It's a Windows app, but there are also ports for many other platforms including Android and iOS. If you want to use it on multiple machines, either put your password file on a USB stick, or sync it; I now use SpiderOak for syncing due to their strong encryption and zero-knowledge policies (basically, everything is encrypted locally before it's uploaded, so they have no way to even know what you're uploading).

Since switching to this system, my passwords are all (well, at least the ones I've gotten around to changing) very long strings of random characters. I still let my browser remember passwords at home, though, because (a) I'm lazy, and (b) if someone has physical access to my computer there are far more embarrassing/incriminating things for them to get into than my GitHub account, and (c) if the NSA wants to look at my email or bank account, they don't need my password anyway.
Why do you trust SpiderOak for not saving your password? The client that generates it is closed source so no way to know it for sure.
  Reply With Quote
11-24-13, 11:53 PM   #20
Phanx
Cat.
 
Phanx's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2006
Posts: 5,617
Originally Posted by Rainrider View Post
Why do you trust SpiderOak for not saving your password? The client that generates it is closed source so no way to know it for sure.
(1) My password file from PasswordSafe is encrypted already, so even if SpiderOak is lying to me, they can't access my passwords. If they really want to spy on my recipe collection or my user stylesheets, which aren't independently encrypted, well... knock yourselves out, guys. Grab some beers, hire some strippers, lay down some lines of coke, and have a wild party while you read all about how I reskinned Amazon and Duolingo. Oh yeah, baby, check out dat readable font size and dem colors!

(2) I'm more inclined to trust SpiderOak with my data than Dropbox etc. who do not encrypt my files at all, and who have explicitly stated they have full access to the content of my files ("but only a few special people, and we won't look unless someone with a warrant tells us to"). The SpiderOak app as a whole isn't open-source (yet) but many of its components are. If the whole thing is a sham, they've gone through a lot of trouble to write a lot of code they're not even using. While it's possible, I don't think it's very likely, and it doesn't seem like it would be worth the effort for them. Anyone uploading sensitive data to the cloud should be encrypting it independently anyway.

(3) I'm not a FOSS nut. I use plenty of closed-source software, and I bet you do too. I choose software primarily based on the features it offers, not on whether I can read the source code. If there are two options that will satisfy my needs, and one is closed-source while the other is open-source, I'm more inclined to choose the open-source option (with that inclination growing stronger as the amount of sensitive data stored by the app increases), but I don't go through life assuming everyone who writes a useful app is out to get me. And let's be honest here -- who actually reads through the source code of every (or even any) open-source program they use?
__________________
Retired author of too many addons.
Message me if you're interested in taking over one of my addons.
Don’t message me about addon bugs or programming questions.
  Reply With Quote

WoWInterface » General Discussion » Chit-Chat » Change your github password

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off