Your security on GitHub, as well as every other account you have on the Web, is best served with a strong password that isn't shared with any other person, service, or site.

When you create a password for your GitHub user account, we automatically disallow some things that can make your password insecure, such as:

  • Passwords without unique characters
  • Letter or number combinations that have proven to be easily guessable by nefarious types (or bots)

However, there are additional things you should consider that we can't control. You have the power to protect yourself!

Make your password as strong as possible

You probably already know that a good password is a word or sequence of at least 12 characters with a combination of lower- and upper-case letters, numbers, and special characters.

However, a much better password is a passphrase with at least 16 characters. For example, "canaries baseball clock dreams" (with a hat tip to XKCD) is very strong and difficult to guess, but also easy for you to remember.

Don't share your password with anyone, ever (no, never)

"Sharing" your password can be intentional or unintentional.

Intentionally sharing your password

Telling anyone your password--even a potential collaborator on a repository--makes you vulnerable to security breaches. GitHub has a few different ways to let you collaborate with others and keep your account private.

Unintentionally sharing your password

If your password is tricky to remember, writing it down somewhere, such as on a piece of paper near your computer, is like not having a password at all. If anyone were to see that piece of paper, you'd be in big trouble.

Instead, use a personal password manager such as LastPass, 1Password, or Keeper.

Keep your GitHub password different from those used for other accounts or services

Your GitHub password should not only be unique to you, it should be unique to GitHub. Attackers know that people tend to reuse the same password for multiple accounts because they're easier to remember that way. If your password is guessed on another service, it could be guessed here on GitHub.

Warning: Security incidents at other companies have provided criminals with vast lists of valid user names, email addresses, and passwords that are used in attempts to access your encrypted data all over the internet.

Unless you have an award-winning memory, it can be very difficult to remember unique passwords for all accounts and services you use. To keep track of your passwords, use a personal password manager such as LastPass, 1Password, or Keeper.

Enable two-factor authentication

Think of two-factor authentication as a second metal door an intruder has to work hard to bust through after they've successfully picked the lock on the first one. For more information, see "About two-factor authentication."