Hacker News new | comments | show | ask | jobs | submit login

The list of IPs from China (& Indonesia, etc) - that most are seeing on their page - making failed login attempts, looks like a botnet or automated bruteforce on the GitHub authentication service. Hit enough usernames with a dictionary attack and they'll get some accounts. I assume that GH are doing some basic rate-limiting or 'fail2ban' style blacklisting on these attempts.

As anyone who's put an EC2 up without securing it knows, an automated SSH attempt at 'root' will be made within a few hours of it coming online.

Attacks like this are common place on the internet.

What I will take away from this, is that github provides a very nice authentication audit log. I really want every service/app/site to provide this kind of information.

Or attached any box directly to the internet.

This looks like bog standard background noise to me.


I wonder if this is related to the recent Adobe and vBulletin user database breaches. They might be trying those passwords on GH.

Very likely.

We've just added a kill-list of known decrypted passwords and English language words and forced people to reset their passwords who are listed in the adobe breach.

How do you find out that someone's using a known decrypted password on your service?

From here: http://stricture-group.com/files/adobe-top100.txt

We wrote a script that hashed these passwords with the stored salt for each user and compared the result with the stored hashed value. Basically we brute forced everyone's accounts with the dictionary provided. Anyone who was found with an account that was in the dictionary was locked out with forced password change. We changed the password policy before doing this to increase complexity and block dictionary and the decrypted list words. We also force people to change their password every 28 days anyway and keep the last 7 hashed passwords and salts to verify that the user hasn't reused.

We store financial data so it's pretty hardcore auth requirements.

I wonder. I used the same username and password for both Adobe and github. But they were not able to break in.

Of course I changed the password for github now.

I have 14 failed attempts in the last 4 days.

I didn't have an account on either of those websites, but still had 5 failed login attempts.

Seems more like its just background noise and they've just enabled reporting of it. I don't really see the problem everyone should have secure passwords anyway or two factor. If some random botnet can guess your password after < 50 guesses your doing something wrong.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact