We’re always looking at ways to improve security. Today’s release of GitHub for Windows (version 1.0.54) improves password handling security through the use of OAuth tokens.
Prior to this release the application would encrypt and store your password. Since the application also registers itself as your Git credential provider, the app would provide your credentials in clear text to Git.exe whenever it asked for them.
With this release, when you log in with your username and password, the application registers itself on GitHub.com as an Authorized application and receives an OAuth token that it stores instead of your password. This is similar to how other applications that integrate with GitHub work such as Travis-CI.
Go to your account settings and click the Applications tab to see a list of authorized applications.
For a while now, GitHub has supported using Git over HTTPS with an OAuth token. Now, when Git requires your credentials, GitHub for Windows passes your OAuth token to Git.
One benefit of this approach is if someone steals your laptop, you can just go to the Applications tab and click the Revoke button to invalidate the current OAuth token. The thief can’t retrieve your password from the contents of your hard-drive. The next time you log in, GitHub for Windows registers itself again and receives a newly generated OAuth token. Of course in this situation, it’s still a good idea to change your password.
Enjoy more secure access to your GitHub account!