this post was submitted on 24 Jan 2024
1 points (100.0% liked)

Open Source

31118 readers
288 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

First, they restricted code search without logging in so I'm using sourcegraph But now, I cant even view discussions or wiki without logging in.

It was a nice run

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 9 months ago (1 children)

I think this comment pretty well summarizes my argument on it. The only parts not addressed:

Passwords can be short and simple. API tokens are lengthy and random, and you can't change that.

You can, as most modern web services including github do, have a minimum length and complexity for the password. That's a very important part of the process yes.

Plus, you seem to still not be grasping the core of my argument: github still authenticates with a password. You can still log in to the web site and change everything, if you compromise someone's password, whether because it's insufficiently complex or for any other reason.

Also, you never type in your API key, and that can help against shoulder- and camera-surfing.

I would like to see a quantitative comparison of how many github compromises there have been because of a stolen API token vs. compromises of some comparable service from a shoulder-surfed password.

[–] [email protected] 0 points 9 months ago (1 children)

You can, as most modern web services including github do, have a minimum length and complexity for the password. That's a very important part of the process yes.

Sorry, I wasn't clear. What I wanted to say is that passwords can be insecure, and in the case of lazy people that had consequences on security. I think the minimum is often not really secure, it's just "fine if you really must" but allowed to not lose to many users.
And at the same time tokens are always secure. It's not defined by the user, they cannot lazy it away, it's made equally complicated for everyone. Fortunately they don't have to type it either, it's copy paste and done.

However I have to admit that while writing this response, complexity is not really the point with github access tokens.

Plus, you seem to still not be grasping the core of my argument: github still authenticates with a password. You can still log in to the web site and change everything, if you compromise someone's password, whether because it's insufficiently complex or for any other reason.

That's right, these tokens won't protect the lazy from their account being taken over. But I think these are still more secure for their use case: storing them in mostly text files, because the programs to which you give these will probably do that, and as these are not really password-equivalent things (these have very limited access to your account), it's less of a problem.

Your original question here was how will it be more secure that we are storing these tokens in our password managers besides our passwords. My answer is that even if you put it into your password manager, that's not it's final place: it will probably end up in text files and other such places, and if such a file gets into the wrong hands you'll be in less of a trouble because of the limited permissions. If you would have stored your password there, you could be hoping that you'll get your account back, and that the person did not do anything bad in your name.

I think much of the confusion is coming from you believing that api tokens are equivalent to passwords. That's not the case. Even if you give all possible permissions to a token, it won't be able to do everything that you can do with the password through the website. In short, the main point here is that you don't have to use your password in places where that's totally unnecessary, and fewer permissions are fine.

[–] [email protected] 0 points 9 months ago (1 children)

it will probably end up in text files and other such places, and if such a file gets into the wrong hands you'll be in less of a trouble because of the limited permissions

I am abandoning this conversation. This is only true with API tokens. With passwords, it generally stays in the password manager. The fact that the damage from your stolen API token is then mitigated if you've reduced its scope still leaves you in a worse position than if it had never been stored in the text file and never been stolen in the first place. If you can't or won't grasp this central point (or the other I mentioned in my other message), I think we have nothing to discuss.

[–] [email protected] 0 points 9 months ago (1 children)

The fact that the damage from your stolen API token is then mitigated if you've reduced its scope still leaves you in a worse position than if it had never been stored in the text file and never been stolen in the first place.

First, it's not a question if you have reduced it's permissions. With an api token you simply can't do a lot of things that you can with a password.

Second, you don't use api tokens as a hobby. You use them because you want to use a tool that needs to have access to your account. Either you use an api token that has a limited set of permissions, or your password that can do anything. Independently of that, it will be stored in a plain text file, because where in the heaven would it store it so that it does not need to prompt you for it every single time? Yes, there are a dozen secret store programs that could be used instead, but a lot of programs will not have support for every one of them. I fail to see that in case how a token with fewer permissions is worse than a password with all the permissions.

[–] [email protected] 0 points 9 months ago (1 children)

Aha, I think we have arrived at the crux of the confusion.

As I said several times before, I'm extremely in favor of using API tokens that way, when they're being used from an automated workflow where the alternative is to store a password. That's an increase in security, yes.

What I'm irritated about is that my use of git as a command-line tool does not function to interact with github if I just give my github password. I do not have an automated workflow. I'm just using git from the command line, and would like to be able to type my password.

If this reduction in the security and convenience of my daily setup is because github believes, as you do apparently, that the only reason to use the command line is from an automated workflow, that may form a clue as to why they don't give a shit about my preferred workflow or my not wanting to introduce new attack vectors into it. Fair enough. But please don't lecture me on how not letting me just enter my password, and forcing me to store tokens for my interactive workflow, is better. Because for me, it isn't.

Glad we had this talk.

[–] [email protected] 0 points 9 months ago (1 children)

Yes, it looks like it was me who was confused. I did not know that github does not accept anymore the password when using git, and you're right that this is unnecessary. Sorry that I was rude, me implying that you were confused really wasn't a friendly thing.

If you use git often, and this is in the way for you, I think it's possible to save it in the gitconfig, tough, if that's fine. I think git should be able to use the credential manager of mac's too if you use that, but maybe it needs a separate package installed for that to work.

[–] [email protected] 0 points 9 months ago

Hey it's all good. In seriousness I am glad we came to a point of understanding now.

And yeah, my API token I generated for the command line, I keep stored in my OSX keychain. It's all set at this point. I'm just irritated that I had to go through all that bollocks in the first place, and for no increase in security but actually a slight reduction, since my github password is not in the OSX keychain, but in a much-more-secure password manager and in my memory. And, that from time to time the whole issue rears its head again like it did yesterday.

Actually, holy shit - you just made me realize, as I was thinking on that "slight reduction in security" statement, that the pass"phrase" for my OSX keychain is one that I reused in other places on the internet, not one that I treat as "holy shit needs to be super-secure" like for my other password manager. Brb I am changing that right now.