“The password you provided has been reported as compromised due to re-use of that password on another service by you or someone else. GitHub has not been compromised directly. To increase your security, please change your password as soon as possible.”
I thought this was funny when I first saw this message from Github, a website that has over 28 million users and 57 million repositories. I knew I was receiving this message because I used a very similar password for my IBM intern account and my personal account.
So I was telling my coworkers in IT about it, and they pointed out to me in horror – “That means they’re storing passwords in plaintext…”
Well turns out this isn’t true. In fact, they use fairly secure Key-Derivation Function (KDF) software called Bcrypt.
For obvious reasons, this is scary. The responsible practices for password storage are, well, complicated. It’s a combination of hashing or the more secure Key-Derivation Function, both of which basically scrambles up the user’s password so that not just anyone can decode it, and a careful implementation of where . If a company isn’t using proper security for user data, there’s an increased risk of getting hacked. And realistically, if someone managed to snag the password to your Github account, they’d likely be able to get into at least a few of your other accounts as well.
If you want to learn about this more in depth, you can read this interesting thread.