If you have been pwned, Github will be the first to tell you.
Github has revamped its security systems to issue warnings to users when their passwords have been exposed online through other services.
The code repository has recently partnered with Have I Been Pwned, a search engine operated by security expert Troy Hunt to give the general public a way to quickly discover whether or not their online accounts and passwords have been exposed.
The online service brings together records from public datasets and record dumps which have been released online.
In 2012, LinkedIn suffered a severe data breach in which, four years later, it was discovered that 167 million user records had been stolen. It was this data breach which, arguably, heightened the popularity of Have I Been Pwned and brought to light the issue of re-used passwords, which can be weaponised by attackers to compromise other online accounts and services.
Two-factor authentication (2FA) is another layer of security which can be added to many online accounts to lessen the risk of compromise even if the same password is in use elsewhere.
But with so many online systems protected by nothing more than a password which may be reused or exposed elsewhere, and users choosing not to enable 2FA, notifying account holders of potential compromise is a critical step towards better security.
Github has already enabled 2FA and now, through a relationship with Have I Been Pwned, will notify users when their password has been compromised elsewhere.
Hunt allowed Github to download the full Have I Been Pwned record repository, which currently stands at roughly 517 million records.
“Using this data, GitHub created an internal version of this service so that we can validate whether a user’s password has been found in any publicly available sets of breach data,” the company says.
Now, Github account holders that are using compromised passwords are being made aware of the fact and will be prompted to select new credentials during login and registration.
GitHub recommends that users enable 2FA to enhance their account security. Users should also consider signing up for Have I Been Pwned notifications which will automatically alert you if your email address has been detected in a new data breach.