问题
I have received this message today when I tried to push my code:
remote: Weak credentials. Please Update your password to continue using GitHub.
remote: See https://help.github.com/articles/creating-a-strong-password/.
How do they know I used a weak password since they only store the password hash?
回答1:
Yes, your understanding is correct. When you type a password to sign in, create an account, or change your password, GitHub will check if the password you entered is considered weak according to datasets like HaveIBeenPwned. The password may be identified as weak even if you have never used that password before.
GitHub only inspects the password at the time you type it, and never stores the password you entered in plaintext.
Below can be possible implementation:
User login using valid credentials.
Checks if the password is secure before hashing it: Checks the password SHA-1 hash against the Passwords API of https://haveibeenpwned.com/.
If the password is insecure, it can store a binary toggle as a user field.
If the user has that binary toggle set, show a warning on EVERY page and nudge them towards changing the password
来源:https://stackoverflow.com/questions/59425506/how-does-github-know-i-have-a-weak-password