Employer asking for GitHub password. How to handle this?

Today, I was asked by my employer for my GitHub password. This is something I'm not willing to give out, especially since I work on other projects (outside of work) and am not willing to compromise anyone's data.

Anyone have any advice on how to respond to this request?

This may be more of a rant here:

I ask this because the manager in question demands passwords from everyone for every bit of software and every single device their subordinates use. That data is kept on a spreadsheet right on their desktop!!! They also remote in to work devices using unsecure software and I'm basically waiting for the next data hack.

UPDATE 1

  • This has progressed a little more than I thought it would.
  • I let me employer know that I am responsible for more data than just their company's and I am not willing to compromise anyone's data. As it would be a security issue for me to disclose my password, I am unable to provide my login credentials to them.
  • Within 5 minutes of that, two managers have now scheduled to have a meeting with me regarding this.
  • This seems awfully strange. I'll keep updating as new events unfold.

UPDATE 2

  • Wow! Thank you everyone for responding! Ended up getting an engineering team together to educate the management on the risks of their current system.
  • It sounds like management is going to take this advice to change their password control situation. Sounds like they were not used to hearing "no" (more or less) from an employee.

Comments (42)

Mark's photo

"No"

Show all replies
Daniel Sont's photo

"No, that's illegal"

Sandeep Panda's photo

Firstly, ask them why they need your password when they can simply add you to their organization. Secondly, explain to them why it's not a good idea to reveal your GitHub password.

Hopefully, they will understand. Either way, never disclose your password.

Terence Eden's photo

I'm going to respectfully disagree with the other answers. Jobs are hard to come by, and sometimes we have to stay in abusive relationships in order to put food on the table.

Your long term plan should be to leave this company, or get them to change their policies.

Your short term plan is this:

  1. Set up 2FA on GitHub. Use a token rather than SMS if possible.
  2. Change your GitHub password to a random string of letters, numbers, and symbols. Make sure it is different from every other password you use for other services.
  3. If your employer threatens you into handing it over, you can do so in relative safety.

Your employer will not be able to log in without your 2FA code, and you'll be able to check for failed login attempts.

To be clear - this is not a long term practical solution. If you work in a large company, you should contact their information security team. If you work in a regulated environment, you should discuss this with your regulators.

If you are being threatened or bullied, talk to your Trade Union to see how they can help.

And, of course, start looking for a new job.

Ultimately, no, you shouldn't have to hand over your password. But 2FA will give you some protection and some breathing room until you can find a better solution.

Karan Gandhi's photo

If they can ask for your private passwords , they can certainly write a policy which bars 2FA. The best move is to keep your personal and official accounts seperate.

Mark's photo

Or if you want to do it with a video:

(Link time doesn't work, copy-paste)

Mark's photo

Currently focussed on [every programming languages and all of the projects]

Seriously though, time to update your CV. Depending on where you work, look into legal action for privacy invasion, unjust firing (in advance) or improper protection of other's data. But get out of there if you can.

Sébastien Portebois's photo

As other people already clearly expressed, it's a big no.

Then you have two choices:

  • A: you just realized (if it was not the case) how bad the security hygiene of the company is (or they know they shouldn't but still ask, which is even worse), and you have to deal with it (work around or find another work)
  • B: if you believe there's hope, you can transform this in a opportunity to educate the team and make them understand why accounts (Github or anything else) should never be shared. Even pure professional accounts. This is not just a privacy issue. Sharing credentials is also a good avenue to be unable to identify the origin of a leak, to now be able to control who has access to what.... in short, it might be a big cause of trouble for the business.

Sharing passwords usually comes with other bad hygiene: sharing ssh keys, sharing certificates, sharing API tokens with privilege rights, ....

If you manage to make them understand that making sure any employee is responsible, has his own credentials and never share them with anyone is a very good way to avoid big problems later.

In short, it's a big red burning flag with loud air horns and huge flashing lights. But at least you might try to get something positive (for you, or at least for them, it's good karma!)

Kunal Mehta's photo

Wow, I got similar question from my very first employer. I tried to convince them that its not a good Idea and I can share any projects or things they really are interested in with them. They didn't agree to listen or have any further conversation. I raised it to my manager, even he was helpless because of internal politics. It was a very strange thing for me even though I was just a college grad then.

I told them I will share in some time. After few minutes, I sent out an email keeping my team members, manager and US based manager in CC with title: "My Github Password"

As discussed, I am sharing my password with you as you need it for some undisclosable business and my manager has no say in it.

Here's my password: "Le@rnEthics&EmployeeIntegrity"

Kamen Minkov's photo

If that's not a huge red flag, then I don't know what. By reading just the title I thought they were testing you in some way, but after reading the post itself the whole thing became absurd. Run while you still can I guess...

Adam Szaloczi's photo

Is that possible?! No way... Make a new account, upload the company realted project(s), give them the pw.

Brandon's photo

Personally I would find a new job or find a lawyer.

  1. Employers shouldn't be asking for that.
  2. They really shouldn't be keeping that info in plain text on a spreadsheet.
  3. The fact that anyone else acquiesced to such demands is mystifying.
Joe Nash's photo

The Terms of Service are probably your best defence here: help.github.com/articles/github-terms-of-se..

“An "Account" represents your legal relationship with GitHub. A “User Account” represents an individual User’s authorization to log in to and use the Service and serves as a User’s identity on GitHub”

“You are responsible for all content posted and activity that occurs under your Account (even when content is posted by others who have Accounts under your Account).”

“You retain ownership of and responsibility for Your Content. If you're posting anything you did not create yourself or do not own the rights to, you agree that you are responsible for any Content you post;”

And most importantly: “Your login may only be used by one person — i.e., a single login may not be shared by multiple people.”

Xingheng Wang's photo

Sounds like really unsafe practice also, to keep everyone's password in a spread sheet. It isn't safe for you, their company or even their customers. It sounds fishy. Do not join.

I can understand, that they require everyone to join the company to use two factor authentication for Github (which we require for all employees or contractors). But that isn't require to know everyone's password, in fact, it makes knowing the password meaning less.

Jason Knight's photo

Since I have ZERO fear, trepidation, or hesitation when it comes to walking away from sleazy dirtbags with garbage insecure practices, I would tell them, "No", follow up with "here's why", and finishing with "If you don't like it, I've got two words for you."

Degenerate into something fool. We just got tired of doin' what ya told us to do.

What you describe is NOT an acceptable practice in any way, shape, or form -- and ANYONE operating that way is either incompetent, corrupt, or an idiot! And I would tell them EXACTLY that in EXACTLY those words.

Show all replies
Jason Knight's photo

The less code you use, the less there is to break

j Some of those that work forces, are the same that burn crosses.

:D

En mozahid's photo

I will tell him why you asking me, or where are you using my account. then i will clearly tell him it is not possible

Sébastien Portebois's photo

I already answered, but I can't even understand how I forgot this important point, so here's a small post-scriptum.

You and your employer should both know that they wouldn't be able to do anything with the password anyway, since your Github account is obviously protected with MFA too (Github also support Yubikey security keys, which is even better: no code to enter and better security!)

My point is: is the next step heading toward a good password education (what is a good password, why password sharing is bad, why password reuse is worse, ...), then MFA (and password managers) should be part of that educational discussions.

Ben Buchanan (200ok)'s photo

Hard no on giving out a personal password; but your scenario is tricky because a password used to access proprietary code is not really a personal password.

The company may have compliance reasons to need to control authentication to systems that control company code. Your contract may also agree to that. There are a lot of unknowns there that you need to consider (don't respond here, just ask yourself if you know the answers). Obviously if it is about compliance there are better solutions, but that isn't your primary concern right now.

You should be very clear in your head how much you care about this. Are you willing to resign over it? Really? I'm guessing not since you're asking a question here :) ...and if not, you should go into any meeting with an open attitude and have a solution in mind.

Ask questions to understand the request for the password, even if you disagree. You need to understand what is motivating this person to collect passwords.

A likely solution:

  1. create a specific github account which you use only for company code
  2. share that password as directed
  3. Remove all company code from your personal account.
  4. Don't add personal or third party code under the company account.
  5. if you want to - put details of this solution and your security concerns in writing (briefly and respectfully!) to the appropriate people so it's on record in case of a breach (ie. state the bland facts: you were instructed to share the password, you do not control where it has subsequently been stored, in the even of a breach you can not be responsible for that account's activity). Don't talk about spreadsheets etc, just state the facts in the most boring possible way and don't say anything you could not prove. Keep a copy of this email on a personal system.

You can also look at some positives - eg. perhaps you could update onboarding materials so new staff know to create separate accounts? Perhaps you could help them set up an organisation on github so they can revoke access without needing the password?

Good luck.

bindik's photo

Make new account for everything they ask password for. Make new gmail, new github account. If you have rooted android phone u can use Sandbox for some apps and feed them with fake position, data... etc.

cedric simon's photo

If it's your personal GitHub account, you have nothing to give, it's not their account.

Bhojendra Rauniyar's photo

WOW! It's an awesome question to see. Everyone disagree to give the password. This is 100% correct.

BUT!!! Remember! How we need to handle the BOSS?

I won't go against the boss directly. This will ruin the relationships between both parties. I will first understand the reason why they require the passwords exactly for. And if they really need it, there's no issue. Here's how:

Create new account addressing with their company. Share the password. No worries at all.

Normally, working in a company, they provide @companyname.com account. Do you know they can still see your activities, messages if they wish?

Thus, sharing passwords between client and worker is no harmful at all. It's because we're just performing for them. We're just selling our skills for their product. And the password is the key for their door to lock anytime if they wish to keep their product private and keep away from whenever you leave them. It's just one kind of human behavior. Though, most of us dislike!

But aware! Be bold, stay eagled eye if they really feel I'm the boss I'm always right straight forward to you. Then, I suggest you to have gOOgle on your eye for right company. No complaint at all. This is ethically good for you because you love work and you should not hate somebody attached with that work. Just believe in yourself, you'll get lovable people if you keep good faith and more love on your work.

Conclusion: Manner is what every boss wants to see. If your work is good, then the boss will agree with you if give advice or suggestion. More connected people ... job claps!

Mark's photo

Currently focussed on [every programming languages and all of the projects]

I'd say that saying "no" won't ruin the relationship, because the relationship was already ruined by the boss when he asked the password. But it's probably still wise to be polite.

Ruurd Pels's photo

If I must use github in a company setting I would create a company login for that. Keep your private stuff as much separated from company stuff as possible.

Mike Schinkel's photo

I read this after UPDATE 2. Just wanted to say "Great job working through this and getting them to change!"

Ebenezer's photo

I think the best way to handle this is to the company create a GitHub account for for internal projects. and shared among the stakeholder. so, just create new account and upload the projects for the company there and share the credentials with them..

Travis Raup's photo

I wouldn't work there. That's BS

Daniel Sont's photo

Get fired and then take legal action. (disclaimer, I'm not a lawyer or anything, but this seems like something so so wrong)

The ruling was widely reported as meaning it is illegal for people to share their account passwords with anyone else (sample headlines: “Federal court rules that sharing your Netflix password is a federal crime,” and “Federal Court Rules That Password Sharing Is Illegal Under Insane Ancient Law”).Jul 12, 2016

Google: password sharing illegal employment

Tommy Hodgins's photo

Apart from their storage of secure information which is awful, I don't see any reason why your employer would need your Github password.

They can already add you to Github projects, but asking for your password is asking for the permission to impersonate you on your own account! There's absolutely no reason they would or should have that ability.

If I were working with people like this I would set up additional accounts just for working with them, if they won't give you a company account, make an alternate free account for yourself that you only use with this company.

PhiGuy's photo

Your employer shouldn't need access to your github account, or the password you use to sign in.

Your employer should be able to regulate the permissions of your github account with respect to the projects they own and you work on.

Perhaps them asking for your password is an indication that they do not know much about how GitHub's projects work.

I would recommend taking the other suggestion in this thread as an opportunity to educate your employer and explain to them why sharing passwords is not a good idea. Offer to make the system better, if you employer is reasonable, they will take allow you to guide them in making the whole system work better.

10Q's photo

Kudos to you and your co-workers for attempting something constructive rather than roll over or quit. Personally I would have just made a separate account and gave them the password to that so as not to make waves. I'm impressed that you stood up to better your situation because I probably would not have.

Also it's is great your management was open. I can't imagine the logic behind asking for passwords but I'm glad to read that your management is going to change their password control policy.

Hipkiss's photo

I'm curious to know which company - so I, as well as others, can avoid it at all costs.

Also, why are you still there?......

Aakash Mallik's photo

Just create another account and shift your repo there. If it is your employment you are concerned about, you gotta bend the knee here coz one way or the other, someone will taste bad blood in the end. Who the fuck asks for GitHub password? Who the fuck asks for any password?

And if they are such geniuses, they should have blacklisted Github.com in their firewall when they had the chance and used and enterprise self-hosted Github server of their own to keep the company code. Boi, you are working with idiots I am telling you.