FYI: GitHub’s New Security and Recovery Practices

As a way to thwart malicious access to accounts, GitHub recently announced its new security and recovery practices. Hacking continues to rise, and passwords often are an easy target for hackers to decode. Many passwords often get hacked due to weak combinations or use across different accounts. This makes it easy for hackers to decode the passwords and can be a huge issue, especially concerning private repositories. Thus, it’s critical for developers to familiarize themselves with GitHub’s new security and recovery practices. Here are GitHub’s new security and recovery practices development teams should pay attention to:

Checkup for Two-Factor Authentication

Users returning to the GitHub website will be prompted to update not only their passwords but to set up or check their two-factor authentication as well. Without updating their passwords and setting up two-factor authentication, users can lose access to their GitHub accounts.

The new two-factor authentication setup includes how long ago a recovery code was viewed. This allows users to quickly see if unauthorized parties attempted to change their passwords. Users have the option to set up an SMS number and a fallback SMS number just in case the primary is misplaced or lost.

If this occurs, users can access their GitHub accounts from a new computer or even a different browser. They will be prompted to enter their passwords and recovery codes. Once authenticated, users will be able to view the history of logins and activity on their GitHub accounts. Users can also take advantage of a U2F key for extra protection. GitHub recommends this hardware key option for two-factor authentication since only the users who can access the account must actually be in possession of the device. Once a two-step authentication is implemented, GitHub will periodically remind the user to review their two-factor setup to ensure they keep it up to date.

Enforced Stronger Passwords

It’s no secret that hackers have made a career out of stealing passwords. However, many of these incidents can be avoided if users create stronger passwords. In fact, most users neglect to create passwords that are strong enough to safeguard against easy account hacking and often use easy-to-remember passwords that are usually made of common words or phrases or short strings of characters, such as the password “hellokitty,” or even repeat using these weak passwords across different profiles and accounts. The issue with these types of passwords is that they are easy for hackers to decode. That’s why GitHub has taken measures to enforce stronger passwords. To accomplish this, GitHub requires its users to include numbers, symbols and capital letters to ensure that their passwords are strong.


As part of the new security measures, GitHub is also encouraging its users to signup to receive notifications from the HavelBeenPwned. HavelBeenPwnd makes it easy for users to quickly see if their usernames have been part of any available public data breaches. This helps users determine if they need to change their usernames as an enhanced security measure. GitHub also launched its own version of the HavelBeenPwned project as a security measure to verify whether or not its users’ passwords were found on an available data breach sets. If GitHub discovers a user’s password is compromised, the user is prompted to choose a new password when they log in, update their password or register for an account.

GitHub’s move to enhance security measures demonstrates the need for consistently updating and reviewing passwords. By using these best practices, developers can help safeguard their private repositories and other important GitHub account information. If you are looking for a reliable partner to manage and host your Github repos, contact us.