
GitHub logged me out of my account because of "password reuse" - get
So I have been using GitHub for quite a while.<p>When I tried to log in a couple of days ago, it told me my password is wrong. Which is impossible. I remember it. I wrote it down. It&#x27;s the same as it was before.<p>Luckily I was able to get hold of the old outlook.com email I was using when I signed up. Haven&#x27;t used Outlook in ages and it greeted me with a prompt to give them a phone number. I refused and luckily it told me that I can skip it for now but they will disable access completely in 7 days.<p>So I got a password reset link from GitHub. When I tried to use the same password again that I used before GitHub told me:<p><pre><code>    The new password you provided has been
    reported as compromised due to re-use of
    that password on another service by you or
    someone else. GitHub has not been
    compromised directly. Your password was not
    saved. Please choose a stronger password.
</code></pre>
So is this the reason for the lockout? That they somehow false-positively thought my password was reused somewhere?<p>It is impossible that it really has been used anywhere else. It is a long random-like password that I only used on GitHub. haveibeenpwned.com also comes back empty on my email.<p>How can I get more info about this?<p>What if I had let slip those 7 days Microsoft gave me to access my old email account? Would my access to my GitHub account be gone forever?<p>What do I do now to keep my account secure? I would never give Microsoft my phone number. So that&#x27;s not an option for me.
======
r721
>If you are using a known-compromised password found in the HaveIBeenPwned.com
database, you will be prompted to change your password after login or any
other time you provide GitHub your password. Additionally, you will not be
able to create or update an account with a known-compromised password.

[https://blog.github.com/changelog/2018-07-31-new-
improvement...](https://blog.github.com/changelog/2018-07-31-new-improvements-
and-best-practices-for-account-security-and-recoverability/)

>Several years ago, security researcher Troy Hunt sought to tackle the
compromised passwords problem with his HaveIBeenPwned.com project. While Troy
hosts a service that people and services can use to check for compromised
passwords, he also generously made the approximately 517 million record
dataset available for download. Using this data, GitHub created an internal
version of this service so that we can validate whether a user’s password has
been found in any publicly available sets of breach data.

>Starting today, people using compromised passwords will be prompted to select
a different password during login, registration, or when updating their
password. Don’t worry, your password is protected by the password hashing
function bcrypt in our database. We only verify whether your password has been
compromised when you provide it to us.

[https://blog.github.com/2018-07-31-new-improvements-and-
best...](https://blog.github.com/2018-07-31-new-improvements-and-best-
practices-for-account-security-and-recoverability/)

~~~
get
As I said, my password has not been used anywhere else. haveibeenpwned.com
comes back empty for it.

------
detaro
> _How can I get more info about this?_

Check their announcements, this might be it:
[https://blog.github.com/2018-07-31-new-improvements-and-
best...](https://blog.github.com/2018-07-31-new-improvements-and-best-
practices-for-account-security-and-recoverability/)

> _What do I do now to keep my account secure? I would never give Microsoft my
> phone number. So that 's not an option for me._

Keep the e-mail settings of your account up to date to accounts you actually
use and have access to.

------
newman8r
Are you positive you didn't actually sign up for 2 github accounts and got
mixed up on the login email, and then tried using the same password on the
second account for the first?

------
kristianp
Is the password from a book or song? If so, someone else may have used it.

