Home page logo
/

isn logo Information Security News mailing list archives

GitHub bans weak passwords after brute-force attacks
From: InfoSec News <alerts () infosecnews org>
Date: Thu, 21 Nov 2013 06:16:33 +0000 (UTC)

http://www.computerworld.com/s/article/9244201/GitHub_bans_weak_passwords_after_brute_force_attacks

By Lucian Constantin
IDG News Service
November 20, 2013

Popular source code repository service GitHub has recently been hit by a brute-force password-guessing attack that successfully compromised some accounts.

"We sent an email to users with compromised accounts letting them know what to do," GitHub security engineer Shawn Davenport said in a blog post. "Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked."

Users were advised to review their account's Security History page for recent changes made to their repositories or failed log-in attempts and to enable two-factor authentication.

GitHub stores passwords securely using the bcrypt function and uses an aggressive rate limit for log-in attempts specifically to block password-guessing attacks, Davenport said. However, in this recent incident almost 40,000 unique Internet Protocol addresses "were used to slowly brute force weak passwords or passwords used on multiple sites."

[...]



--
Dean Bushmiller teaches a great 5-Day CISM in Albany NY Dec. 2  6.
Call 327-937-9786 for details.


  By Date           By Thread  

Current thread:
  • GitHub bans weak passwords after brute-force attacks InfoSec News (Nov 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]