GitHub Accidentally Exposes Some Plaintext Passwords In Its Internal Logs

GitHub has sent an email to some of its 27 million users alerting them of a bug that exposed some user passwords in plaintext. "During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system," said the email. "We have corrected this, but you'll need to reset your password to regain access to your account." ZDNet reports: The email said that a handful of GitHub staff could have seen those passwords -- and that it's "unlikely" that any GitHub staff accessed the site's internal logs. It's unclear exactly how this bug occurred. GitHub's explanation was that it stores user passwords with bcrypt, a stronger password hashing algorithm, but that the bug "resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset." "Rest assured, these passwords were not accessible to the public or other GitHub users at any time," the email said. GitHub said it "has not been hacked or compromised in any way."

Umm... how's this possible?

[Opportunist]

How can a clear text password be available to them at all to record it in a log?

Re:Umm... how's this possible?

While it should be hashed on client-side, most systems still tend to do it on the server side. Meaning that at least initially a plain-text password is passed to the server over (hopefully) encrypted channel.

Correct? No. Common? Yes.

Re:Umm... how's this possible?

i guess if theres an error before input is encrypted and system is set to var_dump();

Re:Umm... how's this possible?

[blindvic]

Are you sure it's correct? How would you log in users? They would hash their password on the client side and send the hash so that the back end would compare the hashes?

Re:Umm... how's this possible?

[Opportunist]

What should happen is that a hash gets calculated on client AND server side, you don't want to store the client's hash directly in the database... for obvious reasons.

Re:Umm... how's this possible?

[TheRaven64]

If you hash on the client, then you're not really hashing, you're just using a different password and the thing in your database is now the real password, because that's what the client presents to log in. If you really want to do it properly, there are zero-knowledge protocols that allow it, but simply hashing on the client is not sufficient.

Re:Umm... how's this possible?

What? No. The server holds the hashed user's passwords so anytime a user types his password it compares its hash with the one it got and only then it allows the login.

Re:Umm... how's this possible?

How can a clear text password be available to them at all to record it in a log?

Quite easily.

Change your form to send a GET request instead of a POST, and *blam* form contents go into the server log as part of the request URI.

With a normal form submit, this would, of course, be noticed immediately by the user (and one would hope by the developer and QA too) because the form contents show up in the browser URL bar, but if the request is made via Ajax, then this doesn't happen so it could get missed.

Another way it can happen is a debugging statement left in the code that dumps the user object to the log file. If it gets triggered at a point in time before the password is hashed, then *blam* passwords in the log file.

I've seen both of these exact thing happen in the real world. They may or may not be the same thing that happened with in this case, but they do happen. In both the cases I'm referring to, the problem was noticed very quickly once it went into production, and was dealt with immediately. However, nobody dreamt of mentioning it to the users -- both incidents were a number of years ago, when public security incident reporting really wasn't a thing.

Re:Umm... how's this possible?

My guess is that by not employing hashing on the reset password request

Re:Umm... how's this possible?

[cascadingstylesheet]

How can a clear text password be available to them at all to record it in a log?

Er, because the user clicks "submit" on a password change form? And somebody was debugging something, and was logging the submitted data before the password got hashed?

Re:Umm... how's this possible?

[tepples]

If you have users who turn off JavaScript-by-default for security reasons or software freedom reasons, how do you hash on the client side?

Re:Umm... how's this possible?

Good thing it's just a small website with this problem, right guys? Salting and hashing passwords is sooooo 2006. You guys gonna take your rainbow tables to the mall!? Hahahaha. Today data is capital, and we need access to every last piece of it, especially the most private information. Grow up e-loser.

Re: Umm... how's this possible?

[art123]

Every single web site you use including Slashdot, Gmail, etc etc has the plain text password available to the server. The hashing of the password with a salt runs on the server. This Github bug was simply that a developer wrote the plain text password to a log file during the authentication process. They didnâ(TM)t store the plain text password in a database.

Re: Umm... how's this possible?

Diversity hire.

Re:Umm... how's this possible?

[DonkeyG5]

<noscript>This website requires Javascript enabled in your browser, you fucking twat. Please enable it and try again. If you don't wanna enable Javascript you can go and fuck yourself with a cactus.</noscript>

Problem solved.

Re:Umm... how's this possible?

Hashing the password client side means that the hash is the actual password - which is then stored in plain text.

If I can get hold of a list of hashes, I can log in without knowing the corresponding passwords, as the server only compares the hash received from the client with the hash in the database.

Re:Umm... how's this possible?

If you're putting your password into a HTML form and submitting it then it's *always* sent plaintext to the remote server.

You use HTTPS to encrypt the password during transit against eavesdroppers, you trust the remote server isn't logging the passwords, and you trust that they are hashing it before storing it so that no-one can get the passwords by stealing that database.

The only way to avoid that is to use things like private/public keys. That's ok for SSH login or the Git protocol, but doesn't play well with web page logins.

It's one reason you should use a different password for every site and use a password manager so that's manageable.

It means the single sign on via Google/Facebook etc is actually more secure because then at least they only have a time-limited token and have never seen your password. You're then only trusting a couple of large entities who should be expected to doing it correctly compared to a small throwaway site.

Re:Umm... how's this possible?

*some* user passwords. I disallow sudo on multi-user machines because the following often happens:

14:57:12 Failed SSH login attempt from IP x.x.x.x using username foobar.

14:57:28 Failed SSH login attempt from IP x.x.x.x using username foobar.

14:58:02 Failed SSH login attempt from IP x.x.x.x using username battery horse correct staple.

14:59:32 Successful SSH login from IP x.x.x.x using username foobar.

If you have a big enough userbase, they'll put a lot of passwords in the username field.

Re:Umm... how's this possible?

You forgot a link to download Internet Explorer 4.0

Re:Umm... how's this possible?

[nedlohs]

How do you think they both check your password and allow you to change your password without ever having the clear text password available?

It's a trivial thing to do, by not thinking what you are doing through. For example, "Hey Bob, can you work on bug 127654 the "password reset fails in this obscure case" one?". Bob then adds "log(form.getAll().toPrettyString())" to the reset code and either leaves in his debugging output when he checks in the actual fix or modifies production directory if it's a cowboy development shop.

Clear text passwords are now in the log files.

Re:Umm... how's this possible?

[cmseagle]

Relevant Wikipedia article, for the curious.

Re: Umm... how's this possible?

Welcome to NTLM.

Re: Umm... how's this possible?

"This website requires an HTML5 compliant browser. Get out of your parent's basement and stop using Windows 98."

Re:Umm... how's this possible?

[Tyrannosaur]

I always wondered why we don't hash client-side *and* server side. Then the password would be the result of a hash, as you say, and it would also be stored properly.

Being hashed client-side also means the server doesn't have to worry about too-long passwords or bad characters in the password or anything; it just expects the result of a hash. As long as the thing it receives is (say) 256 bits long, it's good.

Re: Umm... how's this possible?

The point is to have the client hash the password twice, once with the cold storage key, and again with a per session key. The server will then also hash its cold storage value with the per session key before comparing. This keeps the cold storage value off the wire; in case of man in the middle attack.

Re:Umm... how's this possible?

[Opportunist]

By sending them a hash of the password I enter, which is then stored as a hash of that hash in their database. The idea is that even if I am the average dumb user that reuses the same password over and over, the salted hash ensures that this password is not published even if the first hash gets published (or logged, as in this case), while the second hashing ensures that knowing that first hash does not immediately compromise the authentication process.

Re:Umm... how's this possible?

[Opportunist]

Single hashing bears a problem. If done on the server side, the clear password has to travel to the server. In an encrypted tunnel, all right, but you have to trust that tunnel and you have to trust the process between tunnel and hashing, which as we can see here has been compromised.

Hashing on the client side reduces the problem to one akin to storing a plain-text password where you compare what is sent by the client with the database, leaving the data vulnerable in case of a database hack because knowing the hash allows you to log in.

The main reason for double hashing is that people are lazy fucks who not only choose weak passwords but also use them everywhere. Creating a hash on the client side already mostly takes care of this problem because not only can you no longer determine whether the password is actually sensible, if salted properly even reusing it isn't that big a problem anymore.

Re: Umm... how's this possible?

My god, I hope youâ(TM)ve never implemented any security systems. For how to do this correctly, look up SRP, which fixes at least two major issues in the system you describe.

Re: Umm... how's this possible?

[Dwedit]

It makes me nervous enough that I think basic hashing and encryption should be done at the client side as well. This would stop everything that isn't tampering with the site itself.

Re: Umm... how's this possible?

Because there are much smarter ways to do this. Look up SRP to see how to do it properly.

Re: Umm... how's this possible?

If you've told the server that your password is "hunter2", you're going to have to tell it "hunter2" again in order to log in. Hashing and encryption on the client side won't help if at some point the string "hunter2" still needs to be sent, received, and checked against what the server knows.

Re:Umm... how's this possible?

[TheRaven64]

There are a couple of reasons, but the main one is that if you're able to run code on both the client and server then there are much smarter ways of doing this. The simplest way is to store a public key on the server and store the corresponding private key on the client. Then the server sends some data to the client, which encrypts it with the private key and sends it to the server, which decrypts it with the public key. If the encrypted data matches the data provided by the server, this proves that the client has the private key. There are more complex protocols, such as the Secure Remote Password protocol that do something equivalent to this but using a password rather than a stored private key. The basic idea is the same: you send something that proves that you have the password, not the password itself.

In most cases on the web, it's usually because you want to support browsers with JavaScript disabled, so you must support a simple submit-the-password-via-a-form mechanism. That may change as the WebAuthn standard becomes more widely deployed.

Re:Umm... how's this possible?

I think that really depends on the system.

For example, it's common practice to salt password hashes. So, depending on mechanisms used, it can get pretty chatty and cumbersome to do so.

For example

Client: I wish to log in with this username
Server: Cool, here's the salt I used to complicate your password hash
Client: Awesome, here is the resulting hash, using my password, and your salt the way I think it should be glued together
Server: You're in!

Most protocols that I'm aware of do in fact deal with this on the server side. But in the space I work in, it's absolutely enforced that a secure channel be used.

For example, for some web services, the client actually concatenates a string, something to the effect of username:password -> base64 encode that (NOT ENCRYPTED!),
then push it onto an HTTP Request as an auth header. (but the request is made over an SSL channel, which ensures things like, I know for sure im sending this to the correct server, nobody can read it, and nobody can modify it before it gets there)

At first glance it seems kind of stupid, because we're taught never to send/store/deal with passwords in plain text. But in my world, given that it's enforced that these channels must use HTTPS, I'm just kind of thankful that it's handled outside the application logic scope... in fact, I don't generally care how the password is dealt with. It COULD be plain text (I mean it's not); but in my world I just grab the identity and supporting roles from the request context. And if the authentication portion of the request fails, it never hits my block of application code. (or if I had the application server configured in a way that it did allow that, I would be able to determine the request doesn't have a vouched for identity)

I'm not sure if I'm even adding valuable context to your statement/question. Except to say that I wouldn't want to deal with the password to hash it locally, I literally want to be as far away from it as possible.

Re:Umm... how's this possible?

[nedlohs]

So both requiring running javascript on the browser to login and not actually providing any additional security for them (the hash is now the clear text password).

So to protect people who reuse passwords we prevent people who don't want to run javascript from logging in at all? Those people being protected could just use their own software to get the same effect without stopping non-js users from accessing the site at all.

Re:Umm... how's this possible?

[FictionPimp]

This is github, so when I'm using HTTP auth via git, does git need to implement a javascript engine?

Re: Umm... how's this possible?

[mark-t]

No, it wouldn't.

Let's say your password is X, and you hash it locally to Y. You still have to send Y to the server to be validated. There's no way around this.

If you are sending Y, then it is possible that the server could potentially log Y, and someone who sees those logs might in turn be able reproduce your login by sending Y themselves, even without ever knowing what X is.

That Y might happen to be a binary string that has no visible representation or ability to directly type on a keyboard has no bearing on whether Y may still be visible as "plain text".

Re:Umm... how's this possible?

[Opportunist]

You could simply allow people not wanting to run Javascript to transmit their plaintext passwords.

Though that also eliminates any and all grounds for complaining if their true and tried and often reused "password1234!" appears in a log...

Re: Umm... how's this possible?

[BronsCon]

How about a full name, rather than an ambiguous acronym?

Re:Umm... how's this possible?

[tepples]

"JavaScript is enabled, but I use LibreJS to block proprietary script. Can you send me a copy of the authentication script's unobfuscated, unminified source code under a free software license so that I (or another member) can perform a code review before executing it?"

If the answer is no, then this is why GitHub has been rated F for requiring execution of proprietary script.

Re: Umm... how's this possible?

[tepples]

The closest is probably Secure Remote Password, as TheRaven64 pointed out.

Re: Umm... how's this possible?

That violates the first principle of client-server communication: never trust the browser. It is too easy to manipulate the code running in a browser to ever trust it to do anything related to account security.

That said, there are also a host of other issues. Such as guaranteeing the same hash will be generated. Consider a fun piece of malware that subtly tweaks the JS hashing algorithm so it generates a different hash each time you submit, making it impossible to log in. That would create chaos for site owners. Or, even leaving malicious intent aside, client-side hashing means you can't use salts anymore since there's no good way to tell your cell phone what salt you used when you first logged in from your laptop.

Re:Umm... how's this possible?

Also, as I took a moment to reflect upon this a bit more. I think if the client sent did the hash, and then sent the hash as is for the server to process, it would kind of defeat the purpose of hashing, at least in some ways. Sure an attacker whom got a hold of a user credential repository might not know what the passwords were, which would offer some protection against perhaps discovering access to other sites, if users did that thing they never, ever do; use the same password for all their favorite stomping grounds...

But from my perspective, and I'm admittedly not a security expert; you gain some inherent protection from sending in an actual password, and then having the server do the maths to figure out if this is the same password you entered in the last time.

Say attacker did get a hold of such a credential repository, and they submitted the username and password hash verbatim; if the service attempted to salt and hash that, it would result in a different hash value, and it wouldn't honor the request. One key here is that hashing is sort of a one way encryption. The only way, to end up with the same value, is to enter the same inputs (if the math is sane).

To that end, when salting hashes, the key is to make an attacker get as little fruit for their efforts as possible. Hypothetically speaking, if it took a few months to generate a set of data that could allow them to reverse lookup a hash and get a probable seed value (the password), if the passwords werent salted, it would mean an entire credential repository would be lost. Whereas if every password were to have a unique seed (even if it was just a sequential numerical value), they would have to repeat that process for each seed available. So 100 users could take a whole lot longer to process even a tenth of that repository.

When you could that with best practices, such as simply not leaving the password the same for a long period of time, you can quickly make even attempting to brute force it entirely not viable...

I guess I just sit on one side of the coin, but I think I'm more of the mind of... don't write to a service over an encrypted channel, and don't make the weak point in the security, the hard data the attacker now has after they gained access to something like that (when they have eons to play with it)

Re:Umm... how's this possible?

[beelsebob]

Double hashing does effectively nothing useful. The correct solution if you don't trust that the tunnel is encrypted is to use a zero knowledge password exchange protocol like SRP.

Re: Umm... how's this possible?

[BronsCon]

Probably. There are 11 possibilities, just within the realm of computing, and that's if we limit to only those listed on that wiki page, though; so it's a bit irresponsible to simply use the acronym in this case.

Re: Umm... how's this possible?

Wow. What a stupid rating system.

Re: Umm... how's this possible?

Ah. I retract that. It's a perfectly valid rating system, it's just that it's intended for obsessive compulsives who insist you call it GNU/Linux and never accept free beer.

Re: Umm... how's this possible?

[lgw]

Let's say your password is X, and you hash it locally to Y. You still have to send Y to the server to be validated. There's no way around this.

You don't ever need to send the password, X or Y, if you can depend on running some JS on the client: just use a zero-knowledge proof of identity. However, it's pointless overkill, as man-in-the-browser attacks are more common than MITM attacks these days. Complicated login approaches don't really help against the common attack, so there's little point in getting clever - just make sure you're using HTTPS and POST not GET.

Re: Umm... how's this possible?

[mark-t]

Anything that you send to the server can be read by that server and can therefore be potentially logged as plain text (which is what happened here). The only way around this is to move 100% of the server functionality to the client, which means that the client can't exchange any data with the server in any way (because any data that they do exchange to somehow confirm identity can be logged, as I said above).

Re:Umm... how's this possible?

[Junta]

Generally speaking, if a scheme means the server is never handed the password at all, then a compromise of their database leaks a viable set of credentials to use to log into their service. The alternative to one-way hashing, with password provided to validate knowledge of the password is generally some variation of shared secret, where the server must have the same knowledge the client has. It may be a secret derived from the password and thus the password is still not known, but it's of small comfort when you don't actually need to know the password to authenticate.

The only approach today that at least superficially involves a password without these pitfalls would be a password locally unlocking a private key and using key based authentication instead (in which case the entire password situation is unknown to the server), but without some sort of recovery mechanism, you would have a lot of users losing their private key material one way or another without a good recovery option.

Re: Umm... how's this possible?

Entitled old white guy.

Re:Umm... how's this possible?

Nice XKCD jab.

Re:Umm... how's this possible?

[Junta]

Problem with SRP is that it's not particularly useful in a browser, practically speaking.

The implementation actually performing the SRP is going to be a javascript download from the site you are dealing with. Meaning the server and connection you explicitly do not trust to send your password to is the one you are trusting to provide the alternative implementation.

Doing SRP right requires a lot of work that just isn't happening. Namely browsers particularly need to implement some sort of industry standard integration of the concept so that the connection can't tamper with the client side implementation. However it's a chicken and egg problem, they don't do it because no one uses it and no one uses it because they don't do it.

Also, the migration would be another one of those huge pains. Many browsers unable to do SRP the hypothetically standard way alongside the standard SRP clients to support. Would need to be able to support users who have not logged in for a while to provide data to calculate a new version of their password whilst simultaneously proving they know the old password, and having that mechanism not be susceptible to defeat SRP.

Also have to sort out how to do the password entry UI, as users have been trained that the stock user/password prompt in a browser is a sign of weak and/or lazy security and sites have become accustomed to personalizing even the login experience (for branding purposes and to make users feel like the site takes security more seriously, despite no technical reason for that impression being valid).

All this to solve a problem that the wider community generally considers 'solved' already by good certificate discipline and avoiding any non-ephemeral treatment of passwords. Of course this very article is an example of how even respectable organizations screw up that latter half. In any event, the widely held perception is that SRP is not enough worth it to do it right, that if not done right it's not worth doing, and switching to various dressings of key based authentication is better anyway.

TLS-SRP http would be in particular an amazingly better solution for a lot of 'internal network' use cases for TLS where the CA model particularly falls short, but it's just not in the cards as things stand today.

Re:Umm... how's this possible?

[Dragonslicer]

I always wondered why we don't hash client-side *and* server side. Then the password would be the result of a hash, as you say, and it would also be stored properly.

Because it would only be stronger than really weak passwords. While the result of a SHA1 hash is stronger than "password", knowing the exact length of the password greatly reduces the number of possible passwords, therefore making it easier to brute force.

Re: Umm... how's this possible?

[lgw]

Yes, yes, which is why a method of authentication that is not replay-able is preferred, all things being equal. You're missing the point of "zero-information" protocols: log whatever you want, or send it in the clear, it gives an outsider zero information that's of any future use.

Re: Umm... how's this possible?

That wouldn't help, it basically would just change your hashed password into your new password (that is, the thing that needs to be sent to the server to prove identity). You could do both, but that doesn't by you much.
https://security.stackexchange.com/questions/53594/why-is-client-side-hashing-of-a-password-so-uncommon

The best practice we have today (as I understand, I am not a security engineer) is to encrypt the communication from client to server, trust the server to keep sensitive things secure, and store a hashed (salted and peppered) password in the database, preferably using a slow hash algorithm like bcrypt (fast hashes can be brute forced more easily). I don't know of a good way to get rid of the need to trust the server, but a client-side hash isn't it.

Also, from the summary, it sounded like this logging bug only affected those that were changing their passwords during that time. Overall, it was a bad bug, but it was caught when the impact was low, (only company insiders could have accessed it) and was caught before it escaped (most likely, it is impossible to be sure of that).

Re:Umm... how's this possible?

[Dragonslicer]

A string of 32 random hexadecimal digits is stronger than "password123", but it's weaker than a strong password.

Re: Umm... how's this possible?

That is not correct. Some sites store the hash only, they have no access to the original password nor was it ever exchanged.

S'pose you're partially correct, those specific sites are likely doing it wrong. At the very least password reset emails should have a limited lifetime.

Re:Umm... how's this possible?

So the database contains what amounts to plaintext passwords for the service? I'm not certain you've thought this through.

Re:Umm... how's this possible?

[fsck!]

It sounds like the logs in question were of the form fields being submitted by the user password reset form. Even if you're using SSL (which they are) and the passwords are only stored as a hash (which it sounds like is true at GitHub), there's still a moment where the server has the plaintext password. Some logging frameworks will automatically omit or redact the value of any field like `secret` or `password`. Perhaps in this case they forgot to also redact `password_confirmation` or something.

Re: Umm... how's this possible?

[mark-t]

It doesn't matter if you send it in the clear or if you send it encrypted... the point is that the server will know what you sent, and if that server logs what you sent, then all someone else will have to do is send the same thing in their own session. If you can't replicate it, then there's no way for the server to possibly be able to verify your identity at all.

Re:Umm... how's this possible?

[Darinbob]

I worry about this, but I see it far too often. We learned decades ago with Unix to never store the plaintext password anywhere. Instead you store a value derived in some from the password and other information (such as a secure hash function). That way even if you get a glance at the password file you never see the passwords. It's basic freshman level security.

That a web site even has a plain text password is bad, that it stores the password is even more bizarre.

Sadly, I think there are major tools that do this. I remember our company arranged for a third party site to have some training, and that third party site sent me my default password. This was the same password I used at work a few months prior. I was surprised at the lax security involved when our company decides to just send all the passwords to a third party, and surprised that our company even knew the passwords. I know that OSX doesn't save the plaintext anywhere, Linux doesn't save the plaintext, so I can only conclude that either Active Directory uses or can regenerate the plain text. If true, it's mind boggling how insecure that is.

The enemy of security is convenience, you can't have both. So i think a lot of these problems come from trying to add in convenience. Ie, you change your work password, and that password is used internally with 10 different servers/sites. 9 of them implement a proper minimum level of security and they securely have their user credential updated without ever seeing a password. The 10th site however is dumb, and in the name of expediency they are sent the plain text of your password. That original password however never should have left the original computer in any way (encrypted or not).

There are people who think I'm paranoid about security, but that comes from actual experience about how bad average levels of security really are in practice. And I'm not nearly as paranoid as security experts. That git-hub even had access to passwords in any form is discouraging.

Re: Umm... how's this possible?

[lgw]

Protip: when you don't understand the words being used in the post you're responding to, you might develop the habit of looking them up, rather than continuing to demonstrate your ignorance.

FFS, at least understand what a replay attack is, and what a non-replay-able protocol is, before wittering on about them.

Re:Umm... how's this possible?

[Darinbob]

That's either bad security or you're vastly oversimplifying. Assume everyone is listening in on the network transaction; so you can't send the password over the network, and you can't send the hash over the network, otherwise the transaction can be replayed to spoof the server. Each session should be unique.

Re:Umm... how's this possible?

[Darinbob]

This is why you don't have novices implement security. Also make a note that an expert on the use of an SSL API is not the same as a security expert. We continue to have these security problems because there are so many people implementing security who aren't security experts. Never mind the actual design itself which should come from even higher up.

Re: Umm... how's this possible?

I do not think that you grok basic reading comprehension.

If you run "passwd" on UNIX the binary gets the unhashed password and could log it. Same thing here. It's not stored unhashed, just logged as it was in flight.

Re: Umm... how's this possible?

Who never once exposed passwords in plaintext.

When you want to virtue signal to woke smug condescending elitist white liberal assholes, hire a black trans "programmer".

When you want to protect your users and build a quality product that works, hire a white or asian male.

Citation: The article you're commenting on.

Re:Umm... how's this possible?

[ClarkMills]

Seen this happen a zillion times... person enters password in the "Username: " field.
Eg (synthesised, from memory):

Failed login for "secret" on tty04
Successful login by "jbloggs" on tty04

Re: Umm... how's this possible?

[mark-t]

Second protip, don't move the goalposts of a discussion and then try and call someone on not knowing what they are talking about.

The suggestion above was to encrypt the password on the client side.... but of course, you still need to actually send that encrypted password, and that encrypted password could be logged. The server would never know the "real" underlying password, but a person who viewed that log could send that exact same byte sequence without ever ever knowing the alleged real password, just as the server itself is able to identify the user without knowing the real password in such a case.

The only difference between this and what happened at github is that the password logged in github's case wasn't actually encrypted, and was logged as simple plaintext. But the end result is the same... a person could send what they saw in the log it to the server as part of a login sequence and fraudulently identify as another user.

Re:Umm... how's this possible?

here's how it was possible:

function callBcrypt (username, password) {
      console.log("debug: password:", password)
:
:
:

And someone left that code running on the Node server. :) Running bcrypt on the client would have been a possibility but there's a long argument about whether to encrypt the password on the client, or on the server, because if you are using TLS1.3 cyphersuite for HTTPS your connection is solid enough.

Re:Umm... how's this possible?

If we can't trust HTTPS (TLS1.3) the entire fucking world is fucked: all banks, all hospitals, all infrastructures that rely on CA.

It's pretty damn safe to assume HTTPS is "trusted".

The only alternative is to unbank yourself and live in the wilderness if you think HTTPS isn't safe enough.

Re: Umm... how's this possible?

You can have the server store two salts for each user.

You type in your username, the server sends you the first salt. You hash your password with the salt and send the result to the server. Now the server hashes the hash with the second salt, and checks it.

This doesn't solve the "person snooping on the line" problem, but it does solve the "people are idiots and store passwords in plaintext" problem.

Re:Umm... how's this possible?

A stored hash is no better than a stored plaintext password. A wiretapper who succeeds in capturing such a hash may not be able to figure out the password, but he can use an altered browser to send the hashed password directly when needed. In other words, the hacker won't need to know the password because the hash is enough.

A better way is for the server to send over a salt (different each time), and have the client hash the typed password with that particular salt. Then compare using the same salt on the server side. A hacker may then only get a hash for one particular salt that won't be repeated.

Re: Umm... how's this possible?

[lgw]

C'mon, you said "there's no way around this", and I just pointed out "yes, there is a way around this", where it would be safe to log whatever. And if you were using JS to hash client-side, you could just do it the right way instead.

If you really want to solve this kind of problem with client-side JS, you can indeed solve it that way, and make it safe to log everything sent. I think that's solving the wrong problem, but you could.

Re: Umm... how's this possible?

[mark-t]

My point is that if you are sending the server the hash then effectively, that hash *IS* your password... and that's all that a would be attacker would ever have to send to impersonate you, because that's all that *YOU* sent to identify yourself.

Re: Umm... how's this possible?

yes but it'd help in the case of password reuse, since instead of trying hunter2 on every website they'd just have a hash useful on only one site.

Re:Umm... how's this possible?

[Opportunist]

Ok, that's a different beast, that's user error.

Re: Umm... how's this possible?

[fisted]

This entire thread is a fucking trainwreck but your comment takes the cake. Hashing with a key?! Hashing locally and sending the hash to the server so that it compares hashes? Then your hash is the damn password and you're back at sending your password to the server, who stores it in plaintext. Yay.

Re: Umm... how's this possible?

[fisted]

You poor thing. Let me dissect those 11 possibilities for you, in an attempt to find the one that matches the context of password authentication:

       

Single responsibility principle, a concept in computer science

Hmm. Could that be it? Does "single responsibility principle" sound related to "password authentication"? Hard to tell, but I think it doesn't.
       

Secure Remote Password protocol, a protocol for authentication

Hmm. Could that be it? Does "secure remote password, a protocol for authentication" sound related to "password authentication"? No way.
       

Server Routing Protocol, a network protocol used by the BlackBerry Enterprise Server middleware

Hmm. Could that be it? Does "server routing" sound related to "password authentication"? Hard to tell, but I think it doesn't.
       

Spatial Reuse Protocol, MAC-layer protocol for ring-based packet internetworking

Hmm. Could that be it? Does "ring-based packet internetworking" sound related to "password authentication"? Hard to tell, but I think it doesn't.
       

Stream Reservation Protocol, reservation of network resources for specific streams across a bridged LAN

Hmm. Could that be it? Does "stream reservation" sound related to "password authentication"? Hard to tell, but I think it doesn't.
       

Session Request Protocol, a communication protocol used internally by the USB On-The-Go standard

Hmm. Could that be it? Do "USB OTG sessions" sound related to "password authentication"? Hard to tell, but I think it doesn't.
       

Stack Resource Policy, a resource allocation policy used in real-time computing to prevent deadlocks and multiple priority inversion

Hmm. Could that be it? Does "prevent[ing] deadlocks and multiple priority inversion"? Hard to tell, but I think it doesn't.
       

SCSI RDMA Protocol, for transferring SCSI commands and data

Hmm. Could that be it? Does "transferring SCSI commands and data" sound related to "password authentication"? Hard to tell, but I think it doesn't.
       

Synchronous reactive programming, a programming paradigm

Hmm. Could that be it? Does a programming paradigm sound related to "password authentication"? Hard to tell, but I think it doesn't.
       

System restore point, an historical snapshot in a computer operating system

Hmm. Could that be it? Does "system restore" sound related to "password authentication"? Hard to tell, but I think it doesn't.
       

Software Restriction Policies, also known as "SAFER", a policy built into Microsoft Windows XP and newer versions

Hmm. Could that be it? Does software restriction in Windows XP sound related to "password authentication"? Hard to tell, but I think it doesn't.

Yeah, impossible to tell. This shit is hard, let's go shopping.

Re: Umm... how's this possible?

[BronsCon]

and that's if we limit to only those listed on that wiki page

In other words, there's no guarantee it's any of those 11.

That said, I really didn't need the breakdown, but many others here may have, so thank you for providing it, I guess?

Asshole.

Re:Umm... how's this possible?

[fisted]

The only way, to end up with the same value, is to enter the same inputs

Or one of the infinite number of other possible inputs that will produce the same hash. But please go on educating us on this matter. I mean how hard can it be, right?

Re: Umm... how's this possible?

[fisted]

and never accept free beer.

I have to intervene at this point, what you call "free beer" should in fact be called "gratis beer".

Thanks for caring.

Re: Umm... how's this possible?

[fisted]

So you proactively complained, on behalf of others. That's actually worse.

but many others here may have

Yeah, all the lesser minds, common idiots who -- unlike you -- lack the intelligence to resolve an acronym with the help of a disambiguation page.

You sound and act incredibly arrogant.

Re: Umm... how's this possible?

[BronsCon]

So you proactively complained, on behalf of others. That's actually worse.

Howso?

You sound and act incredibly arrogant.

Hi, Pot, I'm Kettle!

Re:Umm... how's this possible?

software freedom reasons

Have you ever even seen a woman naked who isn't a hideous troll?

Jesus christ.

Re:Umm... how's this possible?

[xign]

I keep seeing responses like this but they never make sense to me.

Your argument basically boils down to "JS-based SRP is insecure because JavaScript crypto is insecure, which is because of the web page delivery mechanism". Well, yes, web crypto has a chicken and egg trust issue, but this problem *already exists in the current traditional login methods*! If a malicious actor can inject HTML/JS into your login page, *both* SRP and traditional password logins would both be hosed, since it would be trivial to just listen to all the keyboard inputs and query the password field's value.

Browser JS-based SRP can't defend against JS injection, but it defends against other things. It protects again careless mistake like the recent ones (Github and Twitter accidentally logging traffic). It also increases trust. In the traditional method, failures are silent. A malicious or incompetent actor could silently log all the passwords without you the user knowing about it. All you have is their word. For SRP though, an attack is much more visible and much less likely to be due to a coding error. Since it requires changing the login page's code and will send more information back, it's likely to be caught by security researchers unless it's a *really* targeted attack.

SRP also protects against MITM attacks. These are not theoretical. Look up BEAST/CRIME/BREACH which were attacks on TLS protocol itself, or Cloudbleed (https://en.wikipedia.org/wiki/Cloudbleed) where CloudFlare had a bug in their SSL proxy which led to anyone being able to intercepts their SSL traffic (incidentally 1Password traffic was intercepted too but was fine because they used SRP...). These kinds of attacks are passive MITM listening attacks, and a browser-based SRP would still be fine since the attacker isn't injecting content.

Browser SRP is not perfect, but it doesn't need to be! It just needs to be *better* than traditional password entries. In this case it's actually *strictly* better, since all the failure cases for SRP are also failure cases for traditional passwords.

I do agree a native browser SRP solution rather than one based on JS would be nice, but perfect is the enemy of good. JS-based SRP is already better than traditional login pages, and if you build a website you can already deploy it.

"All this to solve a problem that the wider community generally considers 'solved'"

Well...as we can see from these two instances it's clearly not solved. Defense in depth means you reduces risks in multiple layers. Also, as I mentioned, we are thinking on the side of server administrators. Even if you claim you are practicing good security practices, there's no way for a user to know as he's just sending the raw password to you anyway. If you use SRP though, I can actually hold you accountable since I know there's literally no way for you to steal my passwords. It's like in SSH where I know it's literally impossible for the server to steal my private key.

Re:Umm... how's this possible?

[Junta]

The point on the JS based SRP is insecure is not to say that it is less secure than a password based approach, only that it is not any more secure (if you can defeat TLS as would be required to sniff password, then you can also inject any alternative SRP implementation you like).

In terms of the attacks on the TLS protocol itself, every time there was a 'business as usual' fix for it within the site operator's control.

The general problem as it stands is that to justify the need for browser based SRP, a site must figure *itself* to be incompetent and/or a bad actor, because the only things it adds protection against is site admin explicitly screwing things up, and few people are inclined to factor that in.

It could change if browser native implementations meant you could tell those site operators that they could defend users from their own screw ups, but as it stands correctly implemented (and yes that 'correctly' warrants some humility, but we speak to reality) strategies can mitigate everything that JS based SRP can.

Further, if you don't have the password, you don't have the ability to 'save the user' from their own bad choices, which is frequently a demand of security teams.

Of course, at the end of the day, SRP based on passwords is still subject to the weak link of human selected passwords, which is why the broader industry focuses more on strategies that involve private keys or machine generated shared secrets than wanting to focus too much on secret material derived from some human originated data alone.

Password reset

[gringer]

the bug "resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset."

...

"We have corrected this, but you'll need to reset your password to regain access to your account."

Er... are you really sure that this has been corrected?

Re:Password reset

I work in computer security for the auto industry. I've been published in selective conferences twice, and I am often asked to make complicated sells on security measures to people who don't know much about security more than things like PIN numbers and encryption (many of them are engineers). You know what kind of people I've watched promoted faster than me? The people that just slap the word "secure" on everything without actually doing anything. Liars, snake oil sales me and hacks. This is a PR move, and propaganda is power more than ever. Of course their internal logs are "secure". Since there's no definition and less people really understand security than Mensa has members, you can just say everything is secure. Equifax? Secure! Github internal logs? Secure! Did they actually mitigate anything with regards to logging? Probably not much. It was secure before, and now it's double plus secure awesome!

Re:Password reset

You

Re:Password reset

[HiThere]

While I can't prove that your paranoid speculations are incorrect, neither can you prove that they are correct. I believe that you are honestly reporting the way you perceive your experiences, but to claim that this is happening at a site that you don't know personally is, as I said, paranoid. And, frankly, usually personal issues are more important than technical competence at getting promoted, so if that's important to you, you might want to work on personality. I don't think "just slap the word 'secure' on everything" would suffice.

OTOH, I acknowledge that it's quite hard for an adult to change their basic personality. Not knowing who you are, it's difficult to make a recommendation, but you might benefit from a few years of Tai Chi dance. The meditative aspect would be of the greatest help. Or perhaps some pranayama yoga. Or Reichian or Primal Scream therapy. (I don't really know about those, but some report good results.) If you're wealthy you could try Cognitive-Emotional therapy.

My best guess, based on my best guess of who you are, is Tai Chi dance from an instructor who stresses the meditative aspects. That's slow, but not necessarily expensive. And many find it worthwhile just on its own terms, rather that because of any result they are after. It can also lead to a better social life...but it *is* slow.

Re:Password reset

[Dragonslicer]

PIN numbers

Sorry, lost all credibility right there.

Basic Auth

[k2r]

I guess http basic auth over TLS.
The connection is encrypted using TLS but the password is transferred in the clear (base64).

Don't use basic-auth.
If you absolutely have to, use an application specific password with restricted rights.

How did this happen?

Okay, so for those who do not know quite how password storage works there are 3 parts to it
1) the original string of password text
2) salt - this is a random string used to create randomness in what is to come
3) you feed the string and the salt into an encryption algorythm like sha512 which produces a HASH this is what gets stored

Now for the fun part, the original string of password text is discarded NOT STORED ANYWHERE, when you need to check a password you feed in the salt and string to the encryption algorythm and check that the HASH is the same as the hash stored in the database.

If GitHub was actually storing plain text passwords...the pure amateur stupidity, I mean who to trust to be competent at a certain point beyond yourself?

Re:How did this happen?

So how is this "random salt" recovered when you need to check the password's validity?

I still don't quite know how password storage works even after this explanation.

Re:How did this happen?

[Big+Hairy+Ian]

3) you feed the string and the salt into an encryption algorythm like sha512 which produces a HASH this is what gets stored

Except sha512 is a hashing algorythm not an ecryption algorythm.

Re:How did this happen?

[TheRaven64]

The salt isn't secret, it's just used to prevent rainbow tables from being useful. If you store passwords as unsalted hashes, then an attacker can construct a large table of all of the hashes of 8-character inputs and compare each of your hashes against their table. If there's a match, then they have a password that will work. If you add a salt, then they can't use such a table, because they have to check each 8-character sequence with the hash prepended. If the salt is different for each password (as it should be), then there's no benefit from pre-calculating the table. If it takes 2 hours of GPU time to compute the table, then with unsalted passwords that's a one-time cost and you can then crack any weak password in a leaked password database almost instantly. In contrast, it will take you 2 hours to attempt each password and crack each weak one in a leaked salted password database.

Re: How did this happen?

This. You can't have the client hash the password. That is why we have tls.

Re:How did this happen?

If GitHub was actually storing plain text passwords...the pure amateur stupidity, I mean who to trust to be competent at a certain point beyond yourself?

Given it's only affecting the forgot password form I assume a developer left in a print statement dumping all the POST variables. So not affecting other pages (login) or password storage.

Re:How did this happen?

[HiThere]

IIUC, what happened is that the passwords that were revealed were of those who were resetting their account passwords. So this would mean that they needed to be send the new password in clear text to the site, at which point it was logged before being hashed.

This is still a problem, but I'm not sure that there is any reasonable way around it. It just shouldn't have been logged.

Re:How did this happen?

[Dragonslicer]

So how is this "random salt" recovered when you need to check the password's validity?

In addition to what others have said about each password having a random salt stored alongside, you can combine the salt with another string that's stored in a secure hardware module. This string is the same for all passwords, but it can only be accessed by the application. This makes determining passwords even more difficult for someone who gets a copy of the database, since they don't have the entire string that was passed to the hashing algorithm.

Because computer scientists think they're funny, they call the secure string a "pepper".

DO NOT USE HASH!!!!

[DrYak]

you feed the string and the salt into an encryption algorythm like sha512 which produces a HASH this is what gets stored

Argh!
No!
NO!!!
NO-NO-NO-NO!!!!
DO NOT USE HASHES ! (like Sha512).

These are designed to be *fast* (1), meaning that it could be not impossible for an attacker to guess the password out of the hash simply by brute forcing all the most common password and variations thereof into the same salt and see if they match.

(1 - And remember that the "tera hash" that ASIC bitcoinminer are reporting are exactly that : trillion of SHA256-like computation per second.)

USE KEY-DERIVATION FUNCTIONS (KDF) INSTEAD !

Like the Bcrypt use by github as mentionned in the summary. Or Scrypt (same used by tarsnap). Or Argon2. etc.
These also produce a value out of a password and a salt, but they are on purpose extremely slow (E.g.: by repeating a hash function over and over for a high number of iteration).
If each computation takes some time, it doesn't impact login that much (After all, you only need to log in once at the beginning of your session), but it hinders anyone wanting to brute force your password out of a stolen hash.

It makes data breaches that managed to steal your user database a lot less dangerous (because once you have successfully guessed the password from the hash, the next step is to see all the other places where the user has re-used the same password).

Re:DO NOT USE HASH!!!!

A simple hash is indeed not so secure for storage. That's why libraries like passlib (https://pypi.org/project/passlib/) repeat the hash algorithm a number of rounds, until it takes about 300ms computing time before storing it. As such the reaction time for a single login request is still acceptable, while a brute force attack on the database will take much longer

But the leak here is in the communication and not in the storage. Github uses https, so most probably the leak occurred in the internal network after the https connection is terminated.

They gave no details so It is a little bit guessing. I have seen similar issues with an internal proxy that during some testing logged the body of all incoming requests ( thus all POST parameters were visible in the log files). When putting the testing configuration on the production server, someone forgot to disable that logging. Et voila: all passwords in clear in the log files. Easy mistake to make, easy to cure as well, but definitely a security leak

Re:DO NOT USE HASH!!!!

[tepples]

USE KEY-DERIVATION FUNCTIONS (KDF) INSTEAD !

Like the Bcrypt use by github as mentionned in the summary. Or Scrypt (same used by tarsnap). Or Argon2. etc.

Is SHA256 inside PBKDF2 still safe?

Re:DO NOT USE HASH!!!!

As safe as muh dik painting your colon with baby batter.

Re:DO NOT USE HASH!!!!

I don't really see why people are so against to hashes that they need to shout. Yes, bcrypt and similar are better and should be used. But I'd consider a hash, if properly used, still reasonably secure.

By properly used I mean hash(hash(password + salt) + salt), where + stands for concatenation. Even better if it has some concatenated pepper, too.

You don't even need to remember that formula if you remember the letters "hmac"...

Expected

GitHub has been going down the drain since the day they proudly threw out their Meritocracy rag and focused on the Social Justice Evangelism rag.
So to see the substitution of people with talent and pure interest in coding, by random idiots who are only interested in what was meme'd to them in the inclusion program, result in a general degradation of quality is nothing new.

Re: Expected

This kind of thing we can expect more of, from all the big tech companies. Diversity hires will build a legacy of garbage and vulnerabilities.

Re: reading comprehension fail.

OMG, like how can the server ever know the password in the first place?

From the summary:

the bug "resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset."

p.s. You're making a fool of yourself tonight / this morning, Opportunist. You should go (back?) to sleep.

This still means that they are doing it wrong.

Stored in the data base

[DrYak]

So how is this "random salt" recovered when you need to check the password's validity?

It's stored along in the data base.
Most stored password have a form like :

${type of algorithm used}${parameters used}${data}

where:
- "type of the algorithm used" tell you what was used to generate this (e.g: using Bcrypt, like GitHub as mentioned in the summary).
- "data" is the actual salted-output that you need to replicate to successfully log-in
- "parameters" is any extra-data that the algorithm needs to generate password checks.
Like the salt.
Or like the number of iterations. Because nobody sane actually use a hash function such as SHA512 anymore. Instead you use a Key Derivation Function (KDF) such as Bcrypt (or Scrypt or Argon2) and those are *slow* on purpose, to make brute-forcing much less likely (e.g.: they slow down by repeating a hash for large number of iterations).

The exact implementation vary (the above is typically used by the "crypt" function used, e.g., on Linux log-ins),
but basically are the same : the salt (and iterations) are stored together with the "hash" that you need to test.

And most of the KDF function can work as "hash_to_compare = KDF(password_login_attempt, old_hash_from_database)", ie.: they can automatically extract the parameters if you give them the string that is in the database, and generate the hash the exact same way.
They'll invent a new salt (and guess the optimal number of iterations) only if you omit the old hash and give the new password as the single parameter.

Naughty

[countach]

OK, that's naughty and needs fixing, but it's internal logs, did it need a slashdot story?

Re:Naughty

It just shows how fragile software is. Yet somehow "AI" and "autonomous driving" is right around the corner, but we can't even get the basic stuff right.

Re:Naughty

[easyTree]

Fortunately, investors don't care about the simple stuff.

Re:Naughty

If security is so simple, why are there multiple exploits every day?

Re: Naughty

âoeInternal logsâ

How many stories of companies accidentally leaving all their supposedly internal user data in publicly-accessible Amazon S3 buckets do you need to see before it becomes clear that it is not worth taking their word for it?

Re:Naughty

[easyTree]

Exploits are even simpler?

Re:Naughty

[BronsCon]

Because investors decide what gets done (people need to be paid for the work they do) and they don't care about security.

Re:That is so gay

Kanye lost his mind ever since his mom died. He's clearly become completely ego driven and is constantly trying to fill the void his mom left.

Correct Approach

This is the right way to deal with a security cockup. Notify the users and explain. They could very easily have swept this under the carpet.

I say well done, GitHub

Use Secure Remote Password protocol

Google "Secure Remote Password protocol (SRP)" and implement that.

Your password never leaves your computer. Instead you sign a challenge, and the server validates only you signed it.

Basic auth no worse than input type=password

[tepples]

Basic auth is an HTTP header, and HTTP headers are just as protected by TLS as response headers and bodies. Otherwise, HTTPS would be ineffective against Firesheep-style attacks that clone a session cookie. The other common means of authentication is submitting a password that has been entered into a field of an HTML form as part of an HTTP POST request body. What's any more "in the clear" with HTTP basic authentication than with the form route?

And in case you believe both forms and basic authentication ought to be replaced, what other means would you prefer? I can think of three, each with serious drawbacks:

HTTP Digest authentication This does hashing using a random initialization vector. However, it requires the server to store the password rather than only an irreversible hash for verification. Some zero-knowledge proof means Because this is not built into the HTML5 standard, it requires running script in the browser. Though web browsers by default run all scripts, many users change this for security and data cap reasons. Extensions exist to restrict script execution to a domain whitelist (JavaScript Switcher), a fine-grained whitelist (NoScript), or only those scripts whose source code is machine-readably available to the public under a free software license (LibreJS). Some go so far as to regularly browse the web with all scripts turned off. Client certificates TLS supports the use of a client certificate that identifies a user, which is exactly analogous to key-based authentication in SSH. However, browser publishers have thus far given no significant attention to usability of common use cases, such as choosing the right client certificate for a particular origin, synchronizing client certificates across devices that a user uses, or even something as simple as logging out.

Re:Basic auth no worse than input type=password

HTTP Digest authentication

This does hashing using a random initialization vector. However, it requires the server to store the password rather than only an irreversible hash for verification.

Actually it doesn't. The server would just need to send the salt along with the random IV. The client hashes the password with the salt before doing it with the IV and it would match the server doing the same operation with the IV. Guessing that isn't part of the browser built-in digest authentication so you'd run the risk of client side code.

Drawbacks of HTTP digest authentication

[tepples]

A better question is why doesn't the HTML standard for password fields allow automatic hashing with a custom salt?

It does; it's called digest authentication. But depending on how digest authentication is implemented, it is vulnerable to one of two attacks. If the realm portion is fixed, digest is vulnerable to a replay attack that passes the hash. If the realm portion is variable, it requires the server to store the unhashed password. In addition, digest authentication still uses MD5, which is deprecated and whose immediate successor (SHA-1) is also deprecated.

Re:That is so gay

Dear lord just saw him on TMZ Live, I did not think he could get any more insane but I was proven wrong, way wrong

BACK TO SOURCEFORGE!

[sproketboy]

ntr

Small number?

[mi]

GitHub has sent an email to some of its 27 million users alerting them of a bug that exposed some user passwords in plaintext. "During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system

Is 27 million a small number?..

Re: Small number?

It literally says "to some of it's" not all.. learn to read

Re: Small number?

you fucking moron

they notified 27 million people

you goddamn idiot

not all of those people had their passwords disclosed

you retarded shitfucker

if they notified only the people who had their passwords exposed, then people would know who to target

you obdurate fool

this is exactly the correct procedure to follow

eat shit and die

I hope this helped

Re:Small number?

[godrik]

GitHub has sent an email to some of its 27 million users

Emphasis mine.

Re:Small number?

GitHub has sent an email to some of its 27 million users alerting them of a bug that exposed some user passwords in plaintext. "During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system

Is 27 million a small number?..

You're bolding was incorrectly done.

Beginner's mistake

[GWBasic]

Logging a password is a beginner's mistake, like SQL injection. I found the same bug in unreleased code many years back, and raised it to management so we could track down the engineer who did it. It's the kind of (cough) mistake that can be the "straw that broke the camel's back" when dealing with an engineer who has (cough) "negative productivity."

Ideally, this kind of bug should be caught in code reviews. As someone who reviews a lot of code, even I'll admit that it's possible for something like this to slip through.

Re:Beginner's mistake

I used to have a co-worker who was absolutely mystified that I didn't want our *classified* project code organized on GitHub.

To many eyes, all bugs are someone else's problems. That doesn't mean closed source is inherently more reliable. It all really comes down to the QA investment, and a disinterested minimum wage employee is just as effective as user-wide apathy.

Re: Beginner's mistake

Right, because your organization and programmers are so much better that they would never make such a mistake. And you've never heard of or enabled second factor authentication, and you prefer to worry about things that aren't your core competency.

Re: Beginner's mistake

[Antique+Geekmeister]

2-factor authentication can be very useful for improving security. It's burdensome to set up, and makes automation much more difficult. Github, gitlab, and Sourceforge, and other public source control repositories also have a difficult situation _supporting_ multiple access methods,. Even as they improve the security of one system, they're still left with all the potential holes of the other supported systems. From the source articles, Github developers should have caught this one. But let's be cautious to not say "if you did it my preferred way, this would never have happened". Two-factor authentication multiplies the physical cost of setting up or modifying client accounts. One of Github's selling points is its support of many low-budget but useful open source tools. I'd anticipate a great loss of contributing users if 2-factor authentication were mandated.

Why log there at all?

There is almost no good reason to save plaintext passwords to permanent storage or for that matter be in transient storage more than a few seconds.

Barring a legal reason or with the clear knowledge and permission of the password's owner, the only time cleartext passwords should ever appear in a log is if they get caught in a diagnostics log. For this reason, the ability to do senditive diagnostics and see the results needs to be controlled and people need to think first before doing them and dispose of the sensitive pasts of the log as soon as possible.

Thankfully mine was unique to github

[upuv]

I got the email.

I was impressed that it was handled quickly.

I'm even more confident because I actually use a proper password manager making sure I have unique passwd's for everything.

Give them credit

[asylumx]

I give them credit -- here they found their own security issue before it became a breach, they fixed it, and they didn't sweep it under the rug but instead they notified their users. Kudos for being forthcoming.

Re: Give them credit

They don't know there was no breach. Breaches aren't the things attackers / hackers / rouge employees broadcast.

They are guessing there was no breach. Guessing.

Re: reading comprehension fail.

This at -1 is moderation abuse.

SHA step in PBKDF

[DrYak]

PBKDF2 uses SHA-variants in it iteration.
Despite "Shattered", it's not "broken" yet.

There are just better more modern KDFs (like the Bcrypt used by Github, like the Scrypt designed for use in tarsnap, or like Argon2 which is the latest competition winner) that don't have PBKDF's short comings (e.g.: collision of long input pass phrases and their SHA-1).

Regarding : "Shattered" you have to understand its context.
SHA-1 has known to be not as secure as it could be (a 128bit SHA-1 has not 128bits of security) for quite some time.
(The main reason why SHA-2 was developed and is now widely used in cryptography, and a partial reason why SHA-3 got recently developed-though-competition (the other reasons being that SHA-3 / Keccak also introduce some novel interesting concepts) ).

Because of this it was widely speculated that collision could be found.
A team of security research spent massive resource (lots of computation time) to search for collision (not brute forcing the whole 128bits space of sha-1 - which would be hard in any reasonable time -, but cleverly exploiting the above known limitation and vulnerability of sha-1).
After spending a considerable amount of time they managed to create two different blocs of (complete non-sense random) data that happen to hash to the exact same value.
It's not that they can generate collision at a whim, they can generate collision at a tremendous computational cost (but still an achievable cost - unlike the whole 128bits search space), and thus far managed to generate exactly 1 such collision.

Also due to the block-iterative way SHA (And most other pre-SHA-3 hashes) operate, it means you can stick this block in a file in a specific way, and get the same hash as if you stuck the collision in the other wise same file.

That limits severly the possible uses of this collision. You need a situation where you can store arbitrary noisy binary data, and have a program that can react to the presence of one or the other piece of data.

Currently, the only successful demo of Shattered is in a PDF file, because PDF can store arbitrary blobs (e.g.: used to storing bitmap data for illustrations, fonts, etc.) and the PostScript language used in PDF is Turing-Complete (some people are even writing ray-tracers written in post-script).
So you can craft a special PDF that hashes to the same SHA-1 sum, but whose PostScript will generated two different document, depending on which of the two collision block is stored in the blobs.

It's pretty limited in practical use.

In PBKDF, it means that you can have two long passphrases, that will generate the same SHA-1 on the first round of PBKFD2 (so you have a tripple collision : both long passphrase containing the 2 blocks of Shattered, and their SHA-1 sum)

But the exploitability of such a solution is quite limited (complex scenarios like an oracle giving passwords, and Eve secretely colluding with the oracle, so the oracles gives two provably different password to Alice and Eve (e.g.: if they compare the SHA256 or SHA3 of the passwords, they are different), but Eve can use her password to unlock Alice's stuff. And vice versa).

So :
TL;DR: Shattered isn't affecting PBKDF2 directly that much, but people have moved to more modern KDFs anyway, because they are better.

Re:SHA step in PBKDF

[Dragonslicer]

Is Argon2 considered ready for prime time yet, or is it still in the early adopter phase?

No

[diamondmagic]

Don't tell people not to use hashes. The next think they'll think is "Oh, I should use plaintext instead".

A key-derivation function is also insufficient, since the output is only as strong as the input. Meaning if you have a 10-bit password, the resulting KDF strength will still only be 10 bits.

You must use a Password-Based Key Derivation Function. A PBKDF can add ~10 bits of security to a password. So if a user gives "password" as their password (2 bits), the resulting hash has ~12 bits of security.

github should use github

seriously, bcrypt is RIGHT FUCKING THERE and it creates an opaque string with both the salt and the hash.

AGAIN: SECURITY 101 -- databases SHOULD NEVER STORE PASSWORD PLAINTEXT

I've even had shitty devops tell me "It IS encrypted" when all they did is run it through PHP Mcrypt and store the fucking PASSWORD in the PHP CONFIG FILE.

Fucking unbelievable.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Brute forcing + Database leaks + PW re-use

[DrYak]

I don't really see why people are so against to hashes that they need to shout.

My main reason was for commically over-exagerated "hysteria".

The actual reason why people are against hashes, is a combination of three factors :

1. Brute forcing :
   • The computational power has vastly increased recently. Noticed the "Tera hash" that bitcoin ASIC miner have been advertising ? That's trillion of SHA256 hashes computed by second. GPU and FPGA are widely available and are good at brute forcing millions, perhaps billions of hashs per second.
   • We humans suck at picking passwords. You don't need to actually scan the whole vast 256bits space (would be difficult to achieve before end-of-life of our solar system), you can scan a few million of the most popular password and variation there of and/or scan password patterns(*)

   So guessing passwords out of (fast) hashes is completely doable for anyone with a little bit of ressource (paying a tiny sum to rent GPUs on the Cloud).

2. Big data bases leaks:
   Just have a look at http://haveibeenpwned.com/ . Very often (though not always), attacker manage to get the password hashes. If you've been using a fast hashing function like SHA, guessing a significant proportion of the passwords is largely possible (like the point 1. above) at the cost of some GPU cloud-renting.
3. Password reuse :
   we human are stupid and tend to reuse passwords. Once you managed to successfully guess a password from point 2, you can try to see if it unlocks the e-mail account associated with the account in the database, or any other account you can find online associate with the same email and/or username and/or real identity (depending on what the leaked db provides to you).

That last one gives you tons of social engineering and identity theft/impersonation possibility to "profit!!!" from. So you can guess it is something that could happen in the wild.

---
(*) -- (when asked to follow password rules, humans will generally put the capital letter at the beginning, use 5-to-6 letters, then put 2-to-4 numbers, and the special at the end, most of the time it will be "!". The number of combination that follow this rules is vastly smaller than what "[A-Za-z0-9_!#@-]{8,16}" would imply)

Yes, bcrypt and similar are better and should be used. But I'd consider a hash, if properly used, still reasonably secure.

The vast difference is that bcrypt, scrypt and argon2 are on purpose designed to slow down bruteforcing and make FPGA and ASICs difficult (by using lots of iterations, and by requiring lots of memory)

The point 1. from the list above doesn't hold true anymore, so if the KDF's hash get laked in point 2. you can't gain much from them.

By properly used I mean hash(hash(password + salt) + salt), where + stands for concatenation. Even better if it has some concatenated pepper, too.

You don't even need to remember that formula if you remember the letters "hmac"...

For a typical /. geek who :
  - generated purely random string from /dev/random+base64 (good luck using patterns or common password lists on that !)
  - and uses 1 different password for each typical site (no password reuse)
( - and uses a secure password manager to keep them organised)
  - and has activated 2-factors-auth (like Google Auth) on each website that supports it (so even if a password is somehow guessed correctly by shear luck, it's not useful on its own).

Yup, salted hashes are good enough.

For the rest of normal the humans, the 3 points I've listed above a re a real danger.

It's unclear exactly how this bug occurred

[pote]

"It's unclear exactly how this bug occurred"... riiiiiiiight, git blame?