Code repository GitHub is the latest site to have hackers compromise some user accounts, and in response, it's taking aim at bad passwords. In a blog post, GitHub engineer Shawn Davenport said that a brute force attack from around 40,000 IP addresses revealed some commonly used passwords, as well as ones that were used on sites besides GitHub. Davenport defended the site's overall security. "We aggressively rate-limit login attempts and passwords are stored properly," he said, though GitHub is now working on improving those rate limits. Primarily, though, it's saying that user passwords were the key weak link here.
Anyone whose account appeared to be compromised has had their password reset and any third-party keys revoked, and GitHub will be on the lookout for further suspicious activity. In addition to normal strength requirements like length or character requirements, GitHub is also banning any easily guessed passwords, though that requirement seems pretty lax: "passw0rd" is apparently easily guessed by hackers, but "Passw0rd" is not. GitHub also offers two-factor authentication, an increasingly common measure to combat the inherent problems with passwords. GitHub did not immediately respond to questions about how many accounts were affected, but whatever the number is, it's going to be miniscule compared to the most recent high-profile hack, which compromised at least 38 million Adobe user accounts earlier this fall.