Why is my github password displayed!

I just clicked on my id in another post and discovered my github password was displayed! This is a gross violation of my security! Please stop this practice!

Can you give an example? This has never happened to anyone else as far I know.

Did you, for example, enter your Github password when you were asked to enter a URL instead?

That must be the problem, thanks. I’ll correct it immediately.

It looks like you entered your GitHub password into the field designated for your GitHub username. You should edit that field and change your GitHub password immediately and audit/expire all GitHub sessions.


For expediency, I’ve cleared that field on your behalf. You can edit it in your user preferences in the “Profile” tab.


Testing github user name

Better now.

Just for reference for other readers: Discourse (or any other modern software using features like log-in-with-github or log-in-with-whatever) would never even get access to these passwords. The whole point of these “log-in-with-something” features is to avoid password management (the login provider creates temporary tokens and permissions on their behalf, never sharing passwords).

Even more, github itself does not know your password either: they only know a salted hash from which it should be impossible to derive your password (that would be a prohibitively expensive computational operation). When you try to login, they transform the password into the hash (a cheap operation) and compare hashes.

This all to say: if you suspect a service even knows the password you use to log in (let alone it carelessly displays it somewhere), you should already be worried about their security competency.


The problem here was mistaking a purely informational field about a username for a password field - entering a password during account linking (even though that’s not what happened here) is usually a common practice, since it’s common to have to log into the account that’s being linked to verify that the linking is desired.