Better password security in GitHub for Windows

Image of Phil Haack

We’re always looking at ways to improve security. Today’s release of
GitHub for Windows (version 1.0.54) improves password handling security
through the use of OAuth tokens.

Prior to this release the application would encrypt and store your password.
Since the application also registers itself as your Git credential provider,
the app would provide your credentials in clear text to Git.exe whenever it
asked for them.

With this release, when you log in with your username and password, the
application registers itself on GitHub.com as an Authorized application and
receives an OAuth token that it stores instead of your password. This is
similar to how other applications that integrate with GitHub work such as
Travis-CI.

Go to your account settings and click the Applications tab
to see a list of authorized applications.

For a while now, GitHub has supported using Git over HTTPS with an OAuth token.
Now, when Git requires your credentials, GitHub for Windows passes your OAuth
token to Git.

One benefit of this approach is if someone steals your laptop, you can just
go to the Applications tab and click the Revoke button to invalidate the
current OAuth token. The thief can’t retrieve your password from the contents
of your hard-drive. The next time you log in, GitHub for Windows registers
itself again and receives a newly generated OAuth token. Of course in this
situation, it’s still a good idea to change your password.

Enjoy more secure access to your GitHub account!