Hacker News new | comments | show | ask | jobs | submit login

They should provide the password used to attempt to log in too.

That's a security risk in and of itself. Suppose someone has an account named 'bobs'. For whatever reason, they don't notice that they mistyped and put in 'bob' instead. They try a couple times with their correct password, and now the 'bob' user has in their logs someone else's valid password. Said user could then set up very minimal bits of automation to discover, and break in, to that account.

no, they definitely shouldn't, for the same reason they don't store the real passwords in plain text. it would be a terrible security hole.

Sorry for being ignorant, but why is providing the passwords they guess/automate a security issue?

For one, because if someone does find a hole that gives them access to Github data, they'll have all password attempts, which would include typos of the real password. Which is a terrible, terrible thing to store in a hard drive (see Adobe)

For instance (just a quick idea): because if you make a mistake and enter your gmail password instead of your github password, now your gmail password is stored in clear text in their database, opening another can of worms etc.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact