2

I have received this message today when I tried to push my code: 

remote: Weak credentials. Please Update your password to continue using GitHub.
remote: See https://help.github.com/articles/creating-a-strong-password/.

How do they know I used a weak password since they only store the password hash?

lucutzu33
  • 3,470
  • 1
  • 10
  • 24
  • When you push, you send them an https request. They need to check it's you. So this request contains your login/email, and your password. They don't store it. They hash it, and compare the result with the hash they have stored before, when you signed up or changed your password. – JB Nizet Dec 20 '19 at 12:58

1 Answers1

2

Yes, your understanding is correct. When you type a password to sign in, create an account, or change your password, GitHub will check if the password you entered is considered weak according to datasets like HaveIBeenPwned. The password may be identified as weak even if you have never used that password before.

GitHub only inspects the password at the time you type it, and never stores the password you entered in plaintext.

Below can be possible implementation:

  1. User login using valid credentials.

  2. Checks if the password is secure before hashing it: Checks the password SHA-1 hash against the Passwords API of https://haveibeenpwned.com/.

  3. If the password is insecure, it can store a binary toggle as a user field.

  4. If the user has that binary toggle set, show a warning on EVERY page and nudge them towards changing the password

Ramya
  • 31
  • 3
  • Note that it is slightly insecure of Git / GitHub not to hash the password *before* sending it, and then hash it another time on the server. As you do the same thing for the website I suppose it doesn't matter much. – Maarten Bodewes Dec 20 '19 at 13:26
  • Not quite, GitHub stores a local mirror and does the lookup locally. Source: am one of the developers that wrote the code – oreoshake Dec 20 '19 at 20:33
  • Please refer to the policy mentioned by GITHUB https://help.github.com/en/github/authenticating-to-github/creating-a-strong-password – Ramya Dec 21 '19 at 12:08