Tell HN: GitHub will reset passwords June 24, 2020

5 points by zatel ↗ HN
When I logged into an old github account I recieved this message:

The password you provided is weak and can be easily guessed. To increase your security, you must update your password. After June 24, 2020 we will automatically reset your password.

-----

It's only for insecure passwords I guess but hopefully if someone needs to see this they will

6 comments

[ 3.0 ms ] story [ 14.3 ms ] thread
I had the same message last month, except my deadline was April 24th. Anyone that's affected will see a message when they log in, but it will actually only reset until you try to log in after that date.

For me, I logged in a few days after my deadline and instead of showing me the warning it just forced me to reset my password. I'm assuming they're doing it on a rolling basis of some sort.

Just out of curiosity: how do they understand password is weak if it is hashed?
OP wrote "When I logged into" so presumably at this point the website can check the password against a password strength/complexity algorithm or top 1000 lists. Ther user had to change the password immediately. Only if you try to skip the step it will auto-reset.
The standard way is, as is pointed out in a parallel comment, checking when the user logs in (since they have to send their unhashed password to the server as part of logging in).

Another approach is to use things like https://haveibeenpwned.com/ to detect users whose credentials are compromised and alert them.

Another more involved approach is to actually try to find collisions with user passwords (using either common wordlists, generated wordlists, or straight brute force) and then notifying users if they find a hit.