Why GitHub Dropped Password Authentication and How to Switch to Token‑Based Access
GitHub permanently disabled password authentication for Git operations on August 13, 2021, urging developers to adopt token‑based methods such as personal access tokens, OAuth, or SSH keys, and outlines the timeline, security benefits, workflow impacts, and steps required to transition.
On Friday, August 13 (09:00 PST, 00:00 CST on the 14th), GitHub officially discontinued password‑based Git authentication, requiring developers to use token‑based authentication (personal access tokens, OAuth, SSH keys, or GitHub App installation tokens) for all Git operations.
1. Reasons for Changing Authentication Method
GitHub announced back in July 2020 that all authenticated Git operations would move to token‑based authentication. The rollout schedule was:
July 30 2020 – Users authenticating via API with passwords received an email urging an update.
September 30 and October 28 2020 – All API operations temporarily required personal access or OAuth tokens.
November 13 2020 – All REST API authentication required personal access or OAuth tokens (GraphQL already required tokens).
Mid‑2021 – All authenticated Git operations required personal access tokens or OAuth tokens.
GitHub cites enhanced security features (2FA, login alerts, device protection, compromised‑password protection, WebAuthn) that make password reuse risky. Tokens offer several advantages:
Uniqueness – Tokens are specific to GitHub and can be scoped per device or usage.
Revocability – Tokens can be revoked individually without affecting other credentials.
Limited Scope – Tokens grant only the permissions required for a given use case.
Randomness – Tokens are far more complex than user‑chosen passwords, resisting brute‑force attacks.
2. Impact of the New Authentication Method
Workflows Affected
Command‑line Git access.
Desktop applications that rely on password authentication (GitHub Desktop is unaffected).
Any application or service that accesses GitHub repositories using a username and password.
What Is Not Affected
Accounts with two‑factor authentication must already use token‑ or SSH‑based authentication.
GitHub Enterprise Server users are not impacted.
GitHub Apps do not support password authentication.
3. What Users Need to Do
Developers must switch to personal access tokens (recommended via HTTPS) or SSH keys before August 13 2021 to avoid disruption; update any outdated third‑party integrations.
Integrators must authenticate integrations via web or device flow before the deadline.
Enable two‑factor authentication to enforce token‑based authentication for all operations.
Reference: GitHub Blog – Token Authentication Requirements
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.