https://news.ycombinator.com/item?id=12259176

Apparently github users are increasingly being targeted.

They probably wanted his private code, otherwise the attack is futile.

On 8/10/2016 3:40 AM, Kagamin wrote:
> They probably wanted his private code, otherwise the attack is futile.

Perhaps, but I don't want a malicious actor being able to hose the dlang repository. Too many people depend on it to risk that sort of thing.

On 8/10/16 12:20 AM, Walter Bright wrote:
> https://news.ycombinator.com/item?id=12259176
>
> Apparently github users are increasingly being targeted.

Done. Didn't realize about this issue, of course, probably shouldn't use a crappy password on your DNS server...

In any case, should be 0 impact, since all my github traffic goes via ssh key.

-Steve

On Wednesday, 10 August 2016 at 04:20:51 UTC, Walter Bright wrote:
> https://news.ycombinator.com/item?id=12259176
>
> Apparently github users are increasingly being targeted.

2 Factor Auth is pretty accessible now days. Definitely enable for Gmail to if you're using that service.

I'd recommend using Yubikey, but the two places I've been able to make use of it is a paid for LastPass account and Github. If you do go for a key, choose one with U2F. These keys don't get firmware updates so as they develop new technology on the key it requires buying a new key.

https://www.yubico.com/

On 8/10/2016 9:15 AM, Steven Schveighoffer wrote:
> Done.

Thanks!

> In any case, should be 0 impact, since all my github traffic goes via ssh key.

Like a castle with its defenses in depth, security should always have multiple levels to it to guard against a single point of failure.

On Wednesday, 10 August 2016 at 23:22:24 UTC, Walter Bright wrote:
> On 8/10/2016 9:15 AM, Steven Schveighoffer wrote:
>> Done.
>
> Thanks!
>
>> In any case, should be 0 impact, since all my github traffic goes via ssh key.
>
> Like a castle with its defenses in depth, security should always have multiple levels to it to guard against a single point of failure.

FYI: You (as org admin) can check whether everyone of the organization has 2FA enabled:

https://help.github.com/articles/ensuring-that-organization-members-have-enabled-two-factor-authentication/

On 8/10/2016 4:41 PM, Seb wrote:
> FYI: You (as org admin) can check whether everyone of the organization has 2FA
> enabled:
>
> https://help.github.com/articles/ensuring-that-organization-members-have-enabled-two-factor-authentication/


Thanks! OMG, looks like only about a fifth have 2FA.

On Wednesday, August 10, 2016 18:34:56 Walter Bright via Digitalmars-d wrote:
> On 8/10/2016 4:41 PM, Seb wrote:
> > FYI: You (as org admin) can check whether everyone of the organization has
> > 2FA enabled:
> >
> > https://help.github.com/articles/ensuring-that-organization-members-have-e nabled-two-factor-authentication/
> Thanks! OMG, looks like only about a fifth have 2FA.

I just enabled it because of this thread, but in general, I'm paranoid about two-factor auth and don't use it for much. My domain registrar (and thus DNS) is one of the few places that I have it enabled. I'm just too worried about getting locked out. The very thing that makes it more secure significantly increases the risk of you having a problem that locks you out. :(

- Jonathan M Davis

On Thursday, 11 August 2016 at 06:21:35 UTC, Jonathan M Davis wrote:
> I just enabled it because of this thread, but in general, I'm paranoid about two-factor auth and don't use it for much. My domain registrar (and thus DNS) is one of the few places that I have it enabled. I'm just too worried about getting locked out. The very thing that makes it more secure significantly increases the risk of you having a problem that locks you out.

This thread pushed me to enable it for Google and Github. The fear of lock out plagues me as well.

However, I asked a few friends and so far I have found nobody who was actually locked out. The fact that they all give you a few backup codes for login helps.