[narraturgy]

Ok I'll admit it. I'm the dingus who is still using https and login/password. It's how I learned to use it years ago and since I only ever access GitHub via cli it's all I've ever learned. I don't program anything complex and I've never put anything secure up on GitHub (it's public, after all, so i had the expectation that all info on there is insecure). I don't understand why this is being deprecated when it's the default suggestion GitHub provides you when you add a new repo to your profile so that you can connect your local git repo to it. For hosting my trivial personal projects it seems so silly to have to go onto github's web interface and click through a bunch of their ui to build a personal passkey(which is just a password with a different name afaict). Am I just not the intended audience for the change or am I missing something crucial that doesn't make this seem like a bunch of extra effort for no meaningful change?

[cyral]

You forgot about the part where you run `git push` later and realize it didn't save your passkey, so you have to make another one. This time you Google how to save it and copy the top answer on StackOverflow, which uses the git credentials store to save it in plain text in your ~/.gitconfig file. Now is the passkey more secure?

[voltagex_]

That seems more like a problem with StackOverflow than anything else.

[IshKebab]

Yeah I would just edit that answer to add a big warning at the top.

[nine_k]

> it's public, after all, so i had the expectation that all info on there is insecure

I think it's a misconception.

Unless you just let everyone write anything in your repo, one would expect that what is there is what it says on the tin.

Every public software project takes measures to stay authentic and not let random and unreviewed, potentially malicious bits in. This is how they keep their users' trust.

Very roughly, "public" = read access is unrestricted, and "insecure" = write access is unrestricted.

[runj__]

I'm also a dingus and I am sometimes forced to clone private repos to new machines which doesn't have my keys. I know that ssh-agent is a thing which is sometimes set up but I still don't really know how it works, and sometimes it doesn't work at all with weird proxy servers and whatnot.

I wish there was some way of _manually_ identifying via a simple link or QR code or whatever.

[the8472]

> I don't understand why this is being deprecated when it's the default suggestion GitHub provides you when you add a new repo to your profile so that you can connect your local git repo to it.

It suggests SSH commands by default for me, I assume this depends whether you have added an SSH key to your account or not.

[WorldMaker]

You can use a supporting Git Credential Manager (such as GCM Core: https://github.com/microsoft/Git-Credential-Manager-Core) to keep using HTTPS and login/password. Instead of typing in your username/password directly in the CLI, it pops up GitHub's login page where you input login/password and then does the dance for you to get an access token from that.

(Git for Windows default installs GCM Core. Some Linux distros do to. You may even already be using it. I think I've seen some confusion in comments here and elsewhere that they don't realize they are already typing in their username/password to a GCM dialog and that's going to keep working. This is about removing HTTPS Digest auth with direct password transmission over the wire.)

[voltagex_]

Wait til you work in a corporate environment where core doesn't work but the original GCM does. They bungled that transition.

[vtbassmatt]

Have you filed an issue on it? We'd be happy to investigate. https://github.com/microsoft/Git-Credential-Manager-Core/iss...

[WorldMaker]

That sounds painful, and in having my own share of dumb corporate papercuts in my environment I sympathize. I'd also point out and echo the sibling comment that the few times I've had GCM problems, the GitHub Issues have helped me debug and fix it (either having an existing Issue with enough details to correct it myself or responding quickly when I've needed to post something).

[peterburkimsher]

Thank you for being humble and describing the ways you use GitHub!

I'm the same, and it's reassuring to know that I'm not the only one just using it as a free web host for personal projects.

Until starting a new job in January 2021, I "knew git" to the extent of git pull, git add, git commit -m, and git push. For everything else I just made a copy of the repo. Now I've learned a little more about branches and merge requests, but I still make a copy of the repo and copy my changes over when things go wrong. https://xkcd.com/1597/

Like you, I got some password-related warnings on GitHub, and honestly it's scaring me away. I know it'll take an hour or so to figure out what went wrong, regenerate a ton of SSH keys for every computer I own and link them to my account, disable 2FA because my phone number is in another country... I'd rather just upload a file, thanks.

The increased overhead means I'd rather just use FTP to upload some files to an HTTP server, but I don't think that such free FTP web hosts exist any more. At least, not ones with a domain that people recognise. That said, peterburk.github.com is no longer accessible, only peterburk.github.io, so maybe it is time for me to go looking for a free .com subdomain.

I'm grateful for GitHub hosting all the junk I decide to share, and I'm obviously not their target market if I'm not paying. I just wish there were a place I could drag & drop to upload content publicly.

[3np]

> regenerate a ton of SSH keys for every computer I own and link them to my account

You could do a single one per computer. You could even do a shared single one across all computers (it’s recommended against but not strictly worse than a shared password)

> disable 2FA because my phone number is in another country

Don’t use SMS for 2FA. Use TOTP (Google Authenticator or similar app. There are alternatives that let you sync) or U2F (hardware key)

[hortense]

You can switch to bitbucket, they still support passwords.

[epage]

I was in the same boat until recently. There have even been a couple of projects I got invited to that I never could join because of this (since multi-factor doesn't work with terminal username/password).

I've tried setting up SSH keys many times and have somehow failed many times. The UX for security stuff just isn't there. I finally have gotten a workflow sort-of figured out and documented to remind myself in the future.

[amiga-workbench]

Key based auth is much more resistant to phishing. Its just one command to have openssh generate a key pair on your computer, and you're done. Password auth in general cannot go away fast enough.

[Osiris]

Not in Windows unless you have WOL installed.

[rakoo]

I'm using Windows and git with ssh keys and haven't managed to install WOL.

What you need is to install Git for Windows. It will include ssh-keygen (if it's not already there) and you can do the usual dance.

[kiwijamo]

Windows comes with ssh by default these days so you can easily ssh-keygen. Doesn't need WOL as I used that without WOL.

[omegalulw]

Isn't the annoyance of having to type your password enough to prod you to use SSH?