GitHub has urged users to set up two-factor authentication for their accounts and has already reset passwords for compromised accounts.
> “We sent an email to users with compromised accounts letting them know what to do,”
> “Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked.”
However, GitHub uses the bcrypt algorithm to hash the passwords, which is extremely resilient against brute force attacks because it takes an inordinate amount of time to encrypt each password.
In a blog post, GitHub engineer Shawn Davenport said that a brute force attack from around 40,000 IP addresses revealed some commonly used passwords. These addresses were used to slowly brute force weak passwords.
In addition to normal strength requirements like length or character requirements, they have banned frequently used weak passwords on the site and had "aggressively" rate-limited login attempts.
Common passwords i.e. Password1, Password123, Qwerty123, access14, admin123, bond007, letmein, pa55w0rd, passw0rd, password1, password123 and more similar.
> "This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information."
The exact number of compromised GitHub accounts was not disclosed but now GitHub’s sign-up page says passwords need to be at least seven characters long and have at least one lowercase letter and one numeral.
So, Always choose a good password that will be hard to crack i.e. Use a mix of numbers, letters and non-dictionary words and You should choose separate, unique passwords for each account or service.