top | item 28164667

(no title)

GitHub mentioned this in their blog-post: https://github.blog/2020-12-15-token-authentication-requirem...

> Tokens offer a number of security benefits over password-based authentication:

> - Unique – tokens are specific to GitHub and can be generated per use or per device

> - Revocable – tokens can can be individually revoked at any time without needing to update unaffected credentials

> - Limited – tokens can be narrowly scoped to allow only the access necessary for the use case

> - Random – tokens are not subject to the types of dictionary or brute force attempts that simpler passwords that you need to remember or enter regularly might be

I pretty much do the same thing, I just copy-and-paste a PAT from my password manager when I need it on VMs. The big benefit to us is that PATs are "limited", and mine only has Git repo access, so unlike my password, it can't:

- Delete repos

- Edit my GitHub organization

- Share my private repos with other users

- Add/remove SSH keys from my account

There's always the chance that a software you install on your VM would contain a keylogger (e.g. NPM/PyPI malicious libraries), so limiting the damage that your credentials can do is always a good thing.

discuss

benatkin|4 years ago

In many cases, none of these makes a difference at all. You may have 3 apps that need the most important permission (so what if it has unnecessary access to gists, when it has and needs full access to private repos) that you use on a single computer with a password manager. Either way, you need to reset the password/key if it becomes compromised.

Still, it's good to be in the habit of doing this, because sometimes you do need it.