Information Security News
mailing list archives
GitHub bans weak passwords after brute-force attacks
From: InfoSec News <alerts () infosecnews org>
Date: Thu, 21 Nov 2013 06:16:33 +0000 (UTC)
By Lucian Constantin
IDG News Service
November 20, 2013
Popular source code repository service GitHub has recently been hit by a
brute-force password-guessing attack that successfully compromised some
"We sent an email to users with compromised accounts letting them know
what to do," GitHub security engineer Shawn Davenport said in a blog post.
"Their passwords have been reset and personal access tokens, OAuth
authorizations, and SSH keys have all been revoked."
Users were advised to review their account's Security History page for
recent changes made to their repositories or failed log-in attempts and to
enable two-factor authentication.
GitHub stores passwords securely using the bcrypt function and uses an
aggressive rate limit for log-in attempts specifically to block
password-guessing attacks, Davenport said. However, in this recent
incident almost 40,000 unique Internet Protocol addresses "were used to
slowly brute force weak passwords or passwords used on multiple sites."
Dean Bushmiller teaches a great 5-Day CISM in Albany NY Dec. 2 6.
Call 327-937-9786 for details.
- GitHub bans weak passwords after brute-force attacks InfoSec News (Nov 21)