On the eve of World Password Day the code hosting service, Github, announced that it had inadvertently recorded visitors passwords to its internal logging system in clear-text. Reportedly, a small code error was to blame for exposing the private credentials before it was remedied. As an added security measure, Github urged a number of its 27 million users to change their passwords in order to regain access to their accounts.
This breach has since been contained by Github and dismissed by some observers as a “minor borkage,” but it stands as a stark reminder that the organizations we trust with our passwords are one small bug away from one big breach. And a near-miss like this one highlights the danger of employing a ‘cross my fingers and hope for the best’ type of policy.
What can you do to prevent a scarier outcome? In short: two factor authentication (2FA). Instead of signing into your accounts using only a password, 2FA allows you to set up an additional security check at each login. For example, a 2FA check could mean a 6-digit pin sent to your phone for verification or a randomized code displayed by an app on your personal device. And believe it or not, most organizations give you this option - though it’s often turned off by default. The minor inconvenience of an additional security check will far outweigh the pain of recovering from data loss or a stolen identity.