If your Git actions have been failing or giving errors on GitHub since yesterday (August 14), it’s likely because you’re still using password-based authentication for your Git actions, and now you need to change that setting.
GitHub announced last July that it would no longer accept account passwords to authenticate Git operations, and now it’s time to make that decision official. You will now need to use SSH keys or token-based authentication to authenticate Git operations.
In the official GitHub blog post, GitHub says, “Starting August 13, 2021 at 09:00 PST, we will no longer accept account passwords when authenticating Git operations on
GitHub.com. Instead, all Git operations that require authentication will require token-based authentication.”
- Command-line access to Git.
- Desktop applications that use Git (GitHub Desktop is not affected).
- Direct access to any application/service in the Git repository on GitHub.com using a password
Not affected by this change
- If you have enabled two-step authentication, you were already using token-based or SSH authentication before that.
- If using GitHub Enterprise Server, we have not yet announced any changes to our on-premises product.
- If maintaining a GitHub App, GitHub Apps does not support password authentication.
If you’re still using a username and password to authenticate to Git operations, you should take the following steps to avoid exceptions once the new requirements kick in.
- For developers, if you are still using a password to authenticate your GitHub.com operations, you must start using a personal access token by August 13, 2021 via HTTPS (recommended) or SSH key to start using a personal access token to avoid disruption. If you receive a warning that you are using an outdated third-party integration, update your client to the latest version.
- For integrators, you must certify the integration using the network or device authorization process certification by August 13, 2021 to avoid disruption.
Tokens offer a number of security advantages over password-based authentication.
- Unique: tokens are specific to GitHub and can be generated on a per-use or per-device basis.
- Revocable: tokens can be individually revoked at any time without the need to update unaffected credentials.
- Limited: tokens can be narrowed to allow only the access required by the use case.
- Random: tokens are not subject to dictionary types or brute force attempts that might be made with simpler passwords that users need to remember or enter periodically
Over the years, GitHub has improved user account security through a variety of initiatives including adding two-step authentication, login alerts, verifying devices, blocking the use of compromised passwords, and WebAuthn support.