Is Github storing passwords in plaintext?
-
Just got an official email informing me I should change my password because it is weak and easily guessed.
How would they know that, unless they are saving data about my password? I'm no security expert, but I'm fairly certain best practice involves not retaining that info.
-
@jcaron Thanks for clarifying my imprecise answer and for outlining how the procedure might have been implemented within GitHub. Appreciate it!
-
@andreas You can't compare a (properly salted) hashed password against a hashed password, as the salt will be different (or inexistant in one instance), the hash will be different, so no match.
What you can do however:
- Do the check whenever you create an account or log in, but they would probably show the warning right at that time rather than send an e-mail
- Try a list of easily guessable/very common passwords against the salted password. Basically, a (friendly) dictionary attack.
There are lists of millions of "common" passwords (based on previous leaks of passwords stored in cleartext). It's then a matter of deciding whether you consider a password weak only if it's in the top X most common, or if it's ever been leaked anywhere.
-
They probably compared the hashed password against a list of hashed passwords easily to guess. The password you have been using is probably within the list published at https://haveibeenpwned.com/Passwords.
The procedure employed by GitHub has been recommended by the NIST the other day, see also [1] and [2]. It is even being developed in the open [3].
[1] https://security.stackexchange.com/questions/191681/how-to-understand-githubs-password-policy/191684#191684
[2] https://www.nist.gov/itl/tig/projects/special-publication-800-63
[3] https://github.com/usnistgov/800-63-3
-
Maybe they guessed your password :-)