Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Github accounts compromised!


Github accounts compromised!

Popular source code repository service GitHub has recently been hit by a massive Password Brute-Force attack that successfully compromised some accounts, GitHub has urged users to set up two-factor authentication for their accounts and has already reset passwords for compromised accounts.

“We sent an email to users with compromised accounts letting them know what to do,”

“Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked.” 

However, GitHub uses the bcrypt algorithm to hash the passwords, which is extremely resilient against brute force attacks because it takes an inordinate amount of time to encrypt each password.

In a blog post, GitHub engineer Shawn Davenport said that a brute force attack from around 40,000 IP addresses revealed some commonly used passwords. These addresses were used to slowly brute force weak passwords.

In addition to normal strength requirements like length or character requirements, they have banned frequently used weak passwords on the site and had "aggressively" rate-limited login attempts.

Common passwords i.e. Password1, Password123, Qwerty123, access14, admin123, bond007, letmein, pa55w0rd, passw0rd, password1, password123 and more similar.

"This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information."

The exact number of compromised GitHub accounts was not disclosed but now GitHub’s sign-up page says passwords need to be at least seven characters long and have at least one lowercase letter and one numeral.

Source: http://thehackernews.com/2013/11/github-accounts-compromised-in-massive.html

Submited by: Vandal


Comments
Sorry but there are no comments to display