How Secure Is Storing Password with Git

How secure is storing password with Git?

git config credential.helper store is not very secure; as it said in documentation:

Using this helper will store your passwords unencrypted on disk,
protected only by filesystem permissions

The ~/.git-credentials file will have its filesystem permissions set to prevent other users on the system from reading it, but will not be encrypted or otherwise protected.

So it stores your password as is. Git allows to use your keychain git config --global credential.helper osxkeychain for OSX, so it seems to be more secure. For Linux system you may use git config credential.helper cache, which stores passwords in your memory. Or you can write your own as it said in git help credentials:

You can write your own custom helpers to interface with any system in
which you keep credentials. See the documentation for Git's
credentials API for details

Besides, @VonC pointed to the cross-platform GPG-based solution. See also this question about .netrc file.

There is also gnome-keyring helper for Linux (thanks to @jazakmeister for advice)

What is the best practice for dealing with passwords in git repositories?

The typical way to do this is to read the password info from a configuration file. If your configuration file is called foobar.config, then you would commit a file called foobar.config.example to the repository, containing sample data. To run your program, you would create a local (not tracked) file called foobar.config with your real password data.

To filter out your existing password from previous commits, see the GitHub help page on Removing sensitive data.

Git http - securely remember credentials

git invokes cURL when running over HTTP. You can store secure credentials by setting up a .netrc file in your user's home directory, and making it private to the user (0600 in Linux).

The contents of the file provide the username and password per remote domain.

machine myRemoteServer
login myUserName
password s3cret

See https://stackoverflow.com/questions/3947530/git-push-fatal-failed/7177690#7177690 for full server side configuration, which can easily include calls to your ldap server.

How secure is git credential caching with `git config --global credential.helper 'cache`?

If somebody else SSH-ed into the same device (as a different user with different SSH keys), would they also be able to view the credentials

No, since, as the documentation mentions, the cache is accessible over a Unix domain socket, restricted to the current user by filesystem permissions.

compare vs. using git SSH key authentication security wise?

SSH keys means you are not typing a password.

To achieve the same with HTTPS, it is better to use a persistent cache, rather than a temporary one, where you need to type the password at each session.

The latest one would be GCM-core: Git Credential Manager Core.

It needs to be installed, but once git config credential.helper is set to manager-core, it will store the password (for a given URL) in a secure local vault, using libscret to communicates with the "Secret Service" using D-Bus (gnome-keyring and ksecretservice are both implementations of a Secret Service.)

Is it considered good practice to store passwords in a private Github repository?

I'd like to break this question into two parts:

  • Is it a good practice to store passwords in source control? No. Credentials are not versioned in the same way. For example, you should be able to change your password without releasing a new build of your software.
  • Is it a good practice to store passwords in the cloud? That's really up to your tolerance for security and reliability. In this case, you're outsourcing both to GitHub. If GitHub loses your data, do you have a backup elsewhere? If GitHub gets hacked (e.g. your private repo briefly becomes public) or if they don't securely destroy old drives, what's the impact if an unauthorized person has your credentials?

Also, when you store credentials, encrypt them and store the key elsewhere.

Is a private repository on github or bitbucket safe for storage of passwords?

Please don't do that.

Storing passwords on thirdparty services is generally a bad idea, especially ones not designed for secure data storage.

Github has a pretty detailed article about their security:
https://help.github.com/articles/github-security/

They don't encrypt the repositories on disk because, as they point out:

We do not encrypt repositories on disk because it would not be any more secure: the website and git back-end would need to decrypt the repositories on demand, slowing down response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our machines and network as secure as possible.

So, at the very least, your passwords would be accessible to GitHub employees.

Private repos are basically just the same as non-private ones, they're just not listed on the website for people who aren't allowed to see them.

Plus, if you stop paying, don't your private repos become public?

Do you really trust everyone you're going to give access to your repository to not abuse the passwords, and not publish them?

The problem you presumably have is roughly "I have a piece of software that needs to use database passwords and it's annoying to have to keep inputting them so I want to put them in the config file I store in git".

One way to solve this problem is to make a file containing your passwords, passwords.json, and add this to your .gitignore. You would then commit to your repo a passwords-example.json showing the format of passwords.json, just without any real passwords (and presumably a README.md explaining how to use this).

How can I save username and password in Git?

Attention: This method saves the credentials in plaintext on your PC's disk. Everyone on your computer can access it, e.g. malicious NPM modules.

Run

git config --global credential.helper store

then

git pull

provide a username and password and those details will then be remembered later. The credentials are stored in a file on the disk, with the disk permissions of "just user readable/writable" but still in plaintext.

If you want to change the password later

git pull

Will fail, because the password is incorrect, git then removes the offending user+password from the ~/.git-credentials file, so now re-run

git pull

to provide a new password so it works as earlier.


Related Topics

Check If Rsync Command Ran Successful

How to Emulate the Raspberry Pi 2 on Qemu

Awk One Liner Select Only Rows Based on Value of a Column

Using Find - Deleting All Files/Directories (In Linux ) Except Any One

How to Extract Characters Between the Delimiters Using Sed

How to Create a File in Linux from Terminal Window

Freeing Up a Tcp/Ip Port

Bluetoothctl to Hcitool Equivalent Commands

Multiple Package Manager

How to Control Backlight by Terminal Command

Is It Possible That Linux File Descriptor 0 1 2 Not for Stdin, Stdout and Stderr

How to Get Started Developing on *Nix

Spidev Linux Driver on Intel Atom Board

Xdotool Commands Bound to Key Shortcuts Doesnot Work

Compare File's Date Bash

Munmap() Failure with Enomem with Private Anonymous Mapping

Use Ssh to Start a Background Process on a Remote Server, and Exit Session

How to Get Exit Status of a Shell Command Used in Gnu Makefile


Leave a reply



Submit