Microsoft’s code hosting platform, GitHub, has announced that it wants to stop accepting passwords for GitHub accounts as a way to authenticate Git operations. Passwords will be replaced by authenticating tokens. The change applies only to the Git software and does not interfere with the GitHub login. This change takes effect after August 13, 2021.
According to Matthew Langlois, security engineer at GitHub, the update follows a security change plan that began in July this year. Last month, all API operations authenticated by GitHub started to require a security token.
“As of August 13, 2021, we will no longer accept account passwords when authenticating Git operations and will require the use of token-based authentication, such as a personal access token (for developers) or an OAuth or GitHub app install token (for integrators) for all Git operations authenticated on GitHub.com. You can also continue using SSH keys wherever you prefer, ”writes Langlois on the GitHub blog.
For Langlois, tokens are more secure and reliable than traditional passwords. “Tokens offer several security benefits over password-based authentication,” he says.
One of the benefits is that, in this case, tokens are specific GitHub, which can be generated by use or by device. Tokens are also revocable, that is, they can be revoked individually, at any time, “without the need to update unaffected credentials”. But the main benefit is that the tokens are random. “Tokens are not vulnerable to the types of password banks or brute force attempts that traditional passwords can be,” he explains.
Forcing users to use tokens instead of passwords is seen as an advantage by the platform’s security engineer, as users will not choose weak passwords like “Intel123” (believe me… Intel has already used this password).
Source: GitHub.
See the original post at: https://thehack.com.br/github-quer-trocar-as-senhas-tradicionais-por-tokens-autenticadores-para-operacoes-com-git/?rand=48873