githubsecuritypasswordspassword-protection

Github claims somehow my password has been compromised and leaked. But there are no other evidences of it


Recently github welcomed me with a picrel notification that my password is commonly used on other websites and for my own security sake I should change it ASAP. If not, they will reset it for me after a while. enter image description here

The thing is my password is quite specific and far from generic. Odds that someone randomly came with the very same idea are close to 0. What's worse I use it in couple other domains and all of them are very vulnerable. For instance to login for my medical records in governmental service of the national healthcare system in my country. I've double checked all those services and so far none of them reported any recent leaks or security breaches. I also checked couple of most popular lists of compromised passwords with no results.

Is there a way to get a list of the 'commonly used passwords' used by github for comparison? And should I be worried that somehow there was a security breach that wasn't made public?

Or maybe this entire thing was merely a mistake made by a github?


Solution

  • Like other larger companies, there is strong indirect evidence that GitHub actively seeks out passwords that have been leaked from compromised sites, in order to make these notifications. They're proactively correlating email:password pairs before the bad actors do (because that's exactly what the bad actors do!).

    It's more likely that the password is a "real" match - either because someone had a similar strategy for password composition, or else your password was part of at least one leak available to GitHub - and less likely that it's some kind of coincidence (and therefore, you should take the actions that GitHub suggests).

    There are a couple of ways that you can try to validate this for yourself:

    (And you'll notice that I don't include "put your password in some website to see if it's listed" in my recommendations above, for security reasons!)

    Finally, note that these approaches are only definitive if you do find a match. If you don't find a match, GitHub may have access to leak data that these other sources are missing, etc.

    Bottom line, regardless: I'd do what GitHub is suggesting. I'd also move to using a password manager so that you can more easily use a truly unique password for all websites, and stop reusing any passwords for any reason. (Even if you just reuse a password for "unimportant" sites, this information can be correlated in ways that you may not be able to predict!)