Thread (13 messages) 13 messages, 7 authors, 2023-05-29

Re: The enduring popularity of git-credential-store

From: Michal Suchánek <hidden>
Date: 2022-11-08 12:00:31 

Hello,

On Tue, Nov 08, 2022 at 10:50:33AM +0000, M Hickford wrote:
Among StackOverflow users [1], git-credential-store appears several
times more popular than any other credential helper. Does this make
anyone else uneasy? The docs warn that git-credential-store "stores
your passwords unencrypted on disk" [2]. Are users sacrificing
security for convenience?

Firstly, how grave is storing credentials in plaintext? Software
development guidelines such as CWE discourage storing credentials in
plaintext [3]. Password managers in desktop environments, mobile
operating systems and web browsers typically encrypt passwords on disk
and guard them behind a master password.

Secondly, the docs recommend git-credential-cache [2] which ships with
Git and is equally easy to configure. So why isn't it more popular? My
hypothesis: while caching works great for passwords typed from memory,
the combination of caching with personal access tokens has poor
usability. The unmemorised token is lost when the cache expires, so
the user has to generate a new token every session. I suspect GitHub's
2021 decision to stop accepting passwords [4] may have inadvertently
pushed users from 'cache' to 'store'.

Thirdly, why doesn't everyone use SSH keys? Unlike HTTP remotes,
upfront set-up is necessary to clone a public repo. For users
unfamiliar with SSH, this set-up may be intimidating. Introducing
users new to Git to SSH at the same time is a significant cognitive
load.
I think that basically there is very small user base that could make use
of the provided authentication options in a more secure manner.

The novice users use the simplest option. Using any king of passsword
manager with git is difficult to set up and platform-specific.

The advanced users need automation which in the end means storing the
access credentials in plaitext in one way or another.

If github provides access tokens that can be assigned per-application,
managed, and individually revoked this is probably as good as it gets.
How well the users make use of this feature depends on their security
awareness and requirements.

Thanks

Michal
Related discussions
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help