Why GitHub Dropped Password Authentication and How to Switch to Tokens
GitHub has ended password‑based Git authentication as of August 13 2021, mandating token‑based methods such as personal access tokens, OAuth, or SSH keys, and the article explains the timeline, security reasons, affected workflows, and steps developers must take to avoid disruption.
GitHub Discontinues Password Authentication for Git Operations
On August 13, 2021, GitHub stopped accepting password‑based authentication for Git operations, requiring developers to use token‑based methods such as personal access tokens, OAuth, SSH keys, or GitHub App installation tokens.
Background
GitHub announced on December 15, 2020 that from August 13, 2021 password authentication would be removed.
Reasons for the Change
Earlier on July 30, 2020 GitHub warned that token‑based authentication would replace passwords. Timeline of notifications:
July 30, 2020 – Email sent to users authenticating via API with passwords.
September 30 and October 28, 2020 – API operations required personal access or OAuth tokens.
November 13, 2020 – All REST API authentication required tokens (GraphQL already required).
Mid‑2021 – All authenticated Git operations required tokens.
GitHub cites security enhancements (two‑factor authentication, login alerts, device protection, compromised‑password detection, WebAuthn) that make password reuse risky. Tokens offer several security advantages:
Uniqueness – tokens are GitHub‑specific and can be scoped per use or device.
Revocability – tokens can be revoked individually without affecting other credentials.
Limited scope – tokens grant only the permissions needed for a given use case.
Randomness – tokens are far more complex than user‑chosen passwords, resisting brute‑force attacks.
Impact of the New Authentication Method
Workflows affected
Command‑line Git access.
Desktop applications that use Git (GitHub Desktop is unaffected).
Any application/service that accesses GitHub repositories with a username/password.
Unaffected scenarios
Accounts with two‑factor authentication must already use token or SSH authentication.
GitHub Enterprise Server users.
GitHub Apps, which never supported password authentication.
What Users Need to Do
Developers must switch to personal access tokens (HTTPS recommended) or SSH keys before August 13, 2021 to avoid disruption. Update any third‑party integrations that still use passwords.
Integrators must authenticate integrations via web or device flow before the deadline.
Enable two‑factor authentication to enforce token‑only access for all operations.
Reference: https://github.blog/2020-07-30-token-authentication-requirements-for-api-and-git-operations/
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.