Open Source

30970 readers

387 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Posts must be relevant to the open source ideology
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago

MODERATORS

[email protected]

How is everyone handling the 2FA requirement for GitHub? (docs.github.com)

submitted 5 months ago* (last edited 5 months ago) by [email protected] to c/[email protected]

122 comments fedilink hide all child comments

Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don't love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don't want to give them my phone number just to log in.

Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)...

you are viewing a single comment's thread
view the rest of the comments

[+] [email protected] -6 points 4 months ago (3 children)

2FA is for people who don't know how to use randomized passwords for every site

[–] [email protected] 5 points 4 months ago (1 children)

Brilliant. Until that website's unsalted pw database is downloaded through a SQL injection.

Use both. You're not smarter than security professionals.

[–] [email protected] 1 points 4 months ago (1 children)

Salt doesn't matter if your password is unique.
If they can download data via SQL injection having them log in probably doesn't matter that much.
If they can dump your password/hash they can likely also dump the TOTP secret.
A lot of website security expert attention is focused on raising the minimum security level. If you are using randomly generated passwords + auto-fill you are likely above their main target audience.

So yes, it is slightly better, but in practice that difference probably doesn't matter. If you use U2F then you may have a meaningful security increase but IMHO U2F is not practical to use on every site due to basically being impossible to manage credentials.

So yes, it is better. But for me using random passwords and a password manager it isn't worth the bother.

[–] [email protected] 0 points 4 months ago

Called it

[–] [email protected] 3 points 4 months ago

The day your machine is compromised is also the day ALL your passwords get stolen.