Home > Enterprise >  What is the reasoning behind github access tokens?
What is the reasoning behind github access tokens?

Time:02-08

And are they more secure or less secure than SSH key pairs.

I am using these instead of SSH key pairs, as referenced on github. And it appears to me that they are just randomized complex passwords.

I authenticate now by putting my username / token in, instead of my username / password. I don't see how this can provide better security than a password.

I'm not opposed to using them, but they just seem like auto-generated passwords. It would also appear they are less secure than SSH.

CodePudding user response:

There are a couple reasons for using GitHub access tokens instead of passwords:

  • Tokens are pseudorandomly generated, so performing a brute-force guessing attack is infeasible.
  • Tokens have a fixed form, which lets them be recognized by secret-scanning software, which can then alert the user or revoke them.
  • Tokens can be more narrowly scoped than passwords and therefore they can be expired or revoked easily in case of compromise without worrying about compromising the entire account.

However, they are still a bearer credential: you have to pass them to the remote system just like a password.

SSH keys are more secure because they use asymmetric cryptography. When the SSH session is created, a one-time shared secret is derived, and your key is only used to sign data derived from that secret. You never send your keys over the connection, and consequently, as long as you keep your private key safe, even an attack who can compromise the other side cannot compromise your keys.

As VonC noted, tokens are used over HTTPS and SSH keys are used over SSH, so they aren't interchangeable.

CodePudding user response:

They are first different: a token is to be used with HTTPS URL.

I know I would not be able to push using SSH from my company: any egress SSH is forbidden.

And since I have to use HTTPS, tokens are mandatory (because they can be easily revoked/regenerated, as opposed to a password which, if compromised, give access to your all account)

See more with "Behind GitHub’s new authentication token formats":

Many of our old authentication token formats are hex-encoded 40 character strings that are indistinguishable from other encoded data like SHA hashes. These have several limitations, such as inefficient or even inaccurate detection of compromised tokens for our secret scanning feature.

token prefixes are a clear way to make tokens identifiable. We are including specific 3 letter prefixes to represent each token, starting with a company signifier, gh, and the first letter of the token type.

Additionally, we want to make these prefixes clearly distinguishable within the token to improve readability. Thus, we are adding a separator: _.
An underscore is not a Base64 character which helps ensure that our tokens cannot be accidentally duplicated by randomly generated strings like SHAs.

And:

A checksum virtually eliminates false positives for secret scanning offline. We can check the token input matches the checksum and eliminate fake tokens without having to hit our database.

Our implementation for OAuth access tokens are now 178:

Page link:https//www.codepudding.com/Enterprise/292389.html

Prev:git The requested URL returned error: 403
Next:How to specify both a Bitbucket repository key and a user key such that the repository key is read-o
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding