0

How can the operator of Github detect whether or not my password applied on their website is commonly used by me on other websites?

I have received a warning message from them forcing me to change my password. The reasoning for that is as above. On the one hand, it is a fair expectation from the operator to apply unique passwords, on the other hand, however, I find it frustrating that they have the ability to know where I have used my passwords.

Can there technically stand any source at their disposal, other than my web browser, where website-specific passwords are being used?

Improve this question
2
  • github.community/t/… Commented Oct 8, 2021 at 20:04
  • I don't think it necessarily means passwords YOU use elsewhere, just that you or somebody else has used the password somewhere else that has been breached. Commented Oct 10, 2021 at 1:05

3 Answers 3

Reset to default
2

Can there technically stand any source at their disposal other than my web browser where website-specific passwords are being stored?

Yes, there can be (and there is) another source besides your web browser. That source is the leaked password hashes from all the many website data breaches that have occurred over years and years.

Github can compare the hash of your password to the hashes found in published data breach dumps. If they see the hash of your password in those data breach dumps then they know you have used that password elsewhere.

This seems to be what Github's representative is saying here (excerpt below):

"While the password you have at present may meet the listed requirements, the system also runs a check when you provide your password (during sign in, or sudo access). The check compares a one-way hash of that password against our internal database of credentials known to be compromised by breaches of other websites or services."

Improve this answer
1

How come, that the operator of Github is able to detect whether or not my password applied on their website is commonly used by me on other websites?

They can't get that from your browser or other sites. But the password is probably part of a password leak, which is commonly how actors know about password reuse. And they can get information from password leaks.

Improve this answer
4
  • So far so good. Just checked if I've been pwned, but it's not the case. Huhhh. I'm not sure if I can interpret this correctly: "part of a password leak" Commented Oct 8, 2021 at 19:54
  • @APoftaTapofta Did you just check your email address or did you also check your password? Commented Oct 8, 2021 at 20:00
  • @nobody: You are right : "This password has been seen 224 times before" My question: seen by whom, where, how ? Commented Oct 8, 2021 at 20:05
  • 1
    @APoftaTapofta Seen in the leaked password databases of many websites. (Edit: Just noticed, hft has provided an answer explaining this.) Commented Oct 8, 2021 at 20:33
0

Not only GitHub. Chrome warns you of weak passwords from publically known password leaks.

If a website would be able to read passwords stored in your PC just by you visiting their site, it would be a major security vulnerability.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.