[SOLVED] Github - Pushing code with Personal Access Token for both Username and Password works

Github - Pushing code with Personal Access Token for both Username and Password works

When I was using my PAT (Personal Access Token) in the Username field and in Password field as well, the code was pushed successfully.

Is it an Issue or a Hidden feature in Github to use PAT for both Username and Password?

PS: I would love to use this approach for some reasons since I use multiple Github accounts which cannot be added in system config. But worried if it would cost a security measures.

EDIT 1:

When using PAT, the username field is simply ignored. Tested by providing wrong username with right PAT. It worked.

Could someone explain why would someone implement a feature in such a way?

Solution

It is intentional that GitHub allows you to place tokens in the username field as well as the password field, because sometimes people do this and it's nice to make it work. The token is itself sufficient to identify you and the access granted, so a username is strictly not needed (and, if a token is provided, is ignored). You can in fact specify the token in the username with any password as well.

However, there are several reasons why you should always put it in the password field:

Many programs don't treat usernames as secret and will print them everywhere, which means that your token is suddenly on your screen or in logs. This is not great if you're in a coffee shop or an airport or you have publicly visible logs. Programs are usually much more careful about passwords.
Specifically, credential helpers often store usernames in a visible way, or, in some cases, unencrypted, whereas passwords are stored securely.
If you specify your username in the username field, then you can follow the procedure outlined in the Git FAQ to adjust which account is used by simply changing the username in the URL. If you use a token in the username, then that will work, but it will mean your token is written in plaintext in your config file, which you'd want to avoid, and you'd have to update every repository to change the URL if your token needs updating, unlike with a username.

So I wouldn't classify it as either an issue or a hidden feature. It is intentional that it works, but because many other programs are less fastidious about the security of usernames, it's probably best to avoid it.