So the other day I pushed some changes to one of my Git repositories and I was asked to enter my username and password, something I hadn’t needed to do in weeks. Then I got an e-mail from GitHub.
You recently used a password to access the repository at Alonso-del-Arte/chess with git using git/2.26.0.windows.1.
Basic authentication using a password to Git is deprecated and will soon no longer work. Visit https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ for more information around suggested workarounds and removal dates.
The GitHub Team
Huh? What? Are you as confused as I am? Are all passwords going to become invalid? How should I log in? I think they could explain this better.
After reading various documentation, I think I figured out what it is that I need to do in order to be able to keep using Git and GitHub without any disruptions through August.
Maybe I could have prepared myself for this eight years ago. When I was accepted for enrollment at the Iron Yard, I was advised to get a GitHub account with an SSH key.
Then the Iron Yard went out of business, but that’s a different story altogether. I only mention it because a few years would pass before I actually got on Git, and I only vaguely remembered what I had been told about the SSH key.
So I opened my GitHub account and came up with a password for it. I don’t have an SSH key. And that’s where I’m at today.
I understand that passwords are annoying. You’re supposed to have a strong, distinct password for each different thing you do online. The idea is that if one of your passwords is compromised, your other passwords are safe.
For example, if your gardening forum password is “coincide7Garden” and your banking password is “coincide7Bank,” someone who cracks your gardening forum password could also crack your banking password.
Suppose instead your banking password is “mxzy52ptlK$.” A hacker tries “coincide7Bank” and it’ll probably cost them one login attempt.
I decided long ago that I would have tiers of password security. I won’t tell you my Pandora password, but I won’t care if you figure it out. I won’t tell you my Git password either, and I would be very worried if you figured it out.
But, come August 13, 2021, my Git password won’t be enough to get into my Git account. Everyone will be required to use multiple factor authentication. Also, password-only authentication will be temporarily disabled on June 30 and July 28, just to make sure everyone has gotten the memo.
So, if you’re still using passwords alone to log into Git on your computer to push your local commits to your remote Git repositories, what is it that you need to do before August 13?
You need to create a personal access token (PAT) or a Secure Shell (SSH) key (the SSH acronym is used a lot more than the PAT acronym).
For developers, if you are using a password to authenticate Git operations with GitHub.com today, you must begin using a personal access token [link removed for security] over HTTPS (recommended) or SSH key by August 13, 2021, to avoid disruption.
I wouldn’t have been offended if you hadn’t trusted clicking on the link for “a personal access token” in my quotation of the guidance from GitHub. Because of the security implications, it’s important that you get to your GitHub account page through a known, trusted link.
That link is to another documentation page anyway. The page lists the steps for creating a personal access token. Step one is to verify your e-mail address, if you haven’t already.
Step two is to go to your GitHub account settings. On the left hand column, you’ll probably see “Profile” as the selected settings category. Scroll down to “Developer settings” and click on it.
That should take you to another settings page with a smaller left hand column, with “GitHub Apps” as the selected category. The third category should be “personal access tokens.”
At this point I decided to use my Web browser’s security inspection capability to verify that I’m on the GitHub website through HTTPS and that GitHub’s current HTTPS certificate is verified by DigiCert and it expires on March 30, 2022 (almost certainly they’ll renew it before then). Looks good to me.
I click on “personal access tokens.” Now I’m confused: I already have a personal access token, created last year, and apparently I’ve used it in the past two weeks. I can delete it or revoke it.
I admit I’m not sure what exactly is the difference between deletion and revocation. But the existing token is said to be “on DESKTOP-N91****,” which matches what I see on Git Bash (though I generally prefer to use the operating system’s command prompt).
So I’m going to go ahead and make myself a new token, but I’ll keep the old one for now. But you’ll probably have to enter your password, which is perhaps one of the reasons why you want to do this before August 13, 2021.
Click the “Generate new token” button. I entered my password and then I was shown a page with a “Note” field at the top. They should call it “Description” instead. I described the token as “Token created for Medium walk-through.”
If you use multiple computers (such as a desktop and two laptops) to commit and push changes to your Git repositories, you should have a different personal access token for each computer.
Let’s say you misplace one of your laptops. Maybe no one will guess your lock screen password, but it would be a good idea to invalidate the PAT for your misplaced computer.
Of course that presumes you identified the computer in the description for the token. For example, “Token for MacBook.”
Below the description, select the scopes the token is for. It gets very fine-grained. I selected the “repo” scope, which encompasses five narrower scopes, which you can select from à la carte if you prefer.
I thought there would be something about expiration dates, but I don’t see it. Oh well, I went ahead and clicked the green “Generate token” button.
Unless you have the misfortune of an interruption of Internet connectivity, the new token will be created, and you will be taken to a page from which you can copy the token, it’s kind of like a really long password.
Copy it to your local system, but absolutely don’t put it into the local copies of any of your repositories, regardless of any Git Ignores that may be in effect. An environment variable might be a good idea.
You should get an e-mail letting you know that a personal access token was added to your account.
Now the moment of truth: I’m going to commit and push some changes to my Scala chess repository.
I’m going to do this through the operating system command prompt rather than through Git Bash. Git status inquiry, add changes to stage for commit, and even committing all go as usual.
When I get to push the changes, a window comes up, looks kind of like a Web browser window, asking for my username and password. But it doesn’t seem to matter what I type in that window, because then I’m asked for the same thing again on the command line.
I type in my username, that’s still the same. Then, unthinkingly, I begin to type my password. But then I remember and I paste in my personal access token instead of my password. The push goes through.
Am I going to have to copy and paste that token from an environment variable into Git every time I want to push some changes, no matter how minor?
No, at least not if I’m using Windows. If I use the following command
C:\Users\AL\IdeaProjects\Chess>git config --global credential.helper wincred
I won’t have to keep entering my personal access token on this particular computer.
If I also use Git on another computer, I should probably get a different personal access token for that other computer. Like I mentioned earlier, the description (the “note”) should then identify that other computer.
As for accessing Git through the GitHub website, you should switch to 2-factor authentication. Your password would be one factor, a special one-time code sent to your phone could be the second factor.