Does Git OpenSSH store entered usernames?
When pushing changes to GitHub in Git via OpenSSH, I accidentally typed my password in the username prompt (I got confused because the username prompt also masks the characters with asterisks).
So when the actual password prompt came up I got a nasty surprise:
Since I entered my password for the username, should I worry about my password being stored in plaintext anywhere, both on Git's logs on my computer and on GitHub's servers?
I am using Git 2.23.0 on Windows 10.
In this case, you're not actually using SSH; you're using the SSH askpass tool to prompt for HTTPS credentials, so you don't need to worry about what OpenSSH does. The askpass tool itself will of course handle credential input safely without logging. However, your username is sent to the remote server, so if you submitted the password field, your password is now almost certainly in GitHub's logs (unless it was a GitHub token, since GitHub allows those in the username field in some cases and handles that securely).
If you didn't actually submit the actual password field prompt that showed up, then the password in the username field was not sent anywhere, since the HTTP protocol sends them as one unit. Since the credential prompt would have failed, no connection was made, and you don't really need to worry about it.
Since this is for HTTP, if you're using a credential manager, such as the Git Credential Manager or wincred, and the password was sent, then you may want to inspect the Windows credential store to see if it's been saved in a username field there. That would be encrypted, though, but the data could be sent again if the credential helper fills it in.
If the password was sent, you have to assume that anything that uses that password is now compromised and change it everywhere it's used. If you were using a token, then replace it with a new one. If you're using the same password in multiple places, take this opportunity to get started with a password manager so that this kind of thing is less of a hassle if you ever do it again (and we all have).
- GitVersion doesn't cause error in Azure Devops Pipeline
- Merging two git repository into another with Github actions
- Can I have two Libraries within one Azure Repo and install them using requirements.txt
- Git, fatal: The remote end hung up unexpectedly
- How to build git with static linking?
- Convert line-endings for whole directory tree (Git)
- How to add a changed file to an older (not last) commit in Git
- Show latest commit for a user across all branches
- How do I run git log to see changes only for a specific branch?
- How is it best to update a project when updates are provided as an archive?
- How to make 'git diff' ignore comments
- Can I hide a branch in a git repo for all remote clones?
- How do I get the Git commit count?
- Get the default upstream remote & branch for "git push"
- How to remove a pushed commit on GitHub?
- How to prune local tracking branches that do not exist on remote anymore?
- Target files with no file extension in .gitattributes
- What to do if git-am fails with "does not match index"?
- Does git support wildcards in paths?
- git alias ssh-add .gitconfig
- go get results in 'terminal prompts disabled' error for GitHub private repo
- How do I clone a Git repository into a specific folder?
- How to update my working Git branch from another branch (develop)?
- Merging 2 branches together in Git
- When to use "chore" as type of commit message?
- Git symbolic links in Windows
- Azure Devops 'git' is not recognized as an internal or external command on my Release pipeline
- In git, what does `--` (dash dash) mean?
- What is fast-forwarding?
- Jenkins: Error connecting to a GIT repository