Brute-forcing, where perpetrators use automated software to methodically attempt to access online accounts using commonly used or easily guessed passwords (i.e., the account-holder’s name plus “123”), is not uncommon. But the GitHub attack is notable for its scale: it was carried out from almost 40,000 different IP addresses, which were used to slowly test for weak passwords or those passwords used on multiple sites (always a common foible for end users).
As a result, the company is telling users that it's now requiring them to be more responsible in their password choices. “While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly 40K unique IP addresses,” explained GitHub security manager Shawn Davenport, in a blog. “We are working on additional rate-limiting measures to address this. In addition, you will no longer be able to login to GitHub.com with commonly-used weak passwords.”
GitHub sent an email to users with compromised accounts, alerting them that their passwords have been reset. Also, their personal access tokens, OAuth authorizations and SSH keys have all been revoked.
Affected users will need to create a new, strong password and review their account for any suspicious activity. GitHub’s security history page logs important events involving a user’s account. If the user had a strong password or GitHub's two-factor authentication enabled, any attempts to access the account that have failed could show up there.
Also, out of what Davenport calls “an abundance of caution,” some user accounts may have been reset even if a strong password was being used. That will be the case if activity on these accounts showed logins from IP addresses involved in the incident.
“This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information,” Davenport added. “This is a great opportunity for you to review your account, ensure that you have a strong password and enable two-factor authentication.”
Password strength is an ongoing conundrum for the industry as users and services try to find a happy medium between security and fomenting headaches – remembering a 10-digit alphanumeric random password that changes every 90 days is not something most consumers can do, resulting in either a sticky-note approach or the “email it to yourself” method – neither of which are particularly secure either.
GitHub is not alone however in requiring strong passwords: Blackberry, Gmail and Hotmail all banned weak passwords last year.