On Password Storage
One of the basic rules to avoid forgetting passwords is not to store them on any digital device. This is also a sensible measure to avoid security issues. And this is essential when not using your own computer.
Insane Defaults
Some days ago, I had to help someone and I needed to clone a git
repository from GitLab.1 The computer ran Windows, so I used the PortableGit version.2 So I could avoid installing the program on the computer. I detected a minor mistake, I fixed it and I commited the fix.
I was surprised that the dialog that prompted for username and password had already those fields filled in. This was extremely disgusting, because it is a huge security issue. The first prompt didn’t say anywhere that username and password were going to be stored. As I discovered later, this is the default in Windows.3 This is a huge security issue, because I realized just accidentally that username and password were stored on the computer.
It is irrelevant, as I read later, that those data were encrypted. Even on your own computer, another person may use them. Even not knowing at all what is going on. Storing passwords by default without asking for confirmation is insane.
What Really Happened
It seems that when a program asks Windows for a dialog to input username and password, the OS stores these data in encrypted form. It isn’t optional and you need administrative rights to disable the service that controls this “feature”.
These are known as credentials. In the case of remote repositories, Windows considers them generic credentials. The user may delete the credentials. This might be all what can be done about that without administrative rights.
The Required Fix
The real issue comes from PortableGit itself. Especially being a portable application,4 storing passwords by default is crazy. Neither the user is warned about this particular. So I needed to know how to avoid this, without having to ask for administrative rights.
I found the fix for that in a reply to a previously posted answer. All you have to do is to remove the system setting with this command:
git config --system --unset credential.helper
Disable Any Credentials
If you don’t want to have any dialog prompting for username and password, in any OS you can edit the global settings with:
git config --global core.askpass ""
So you set the value to none. The username and password will be typed in the command line you are typing the other git
commands.
Type the Password Only
There is a way to avoid having to type the username again and again when you access to your remote repositories. When setting the remotes, just preprend your username to the remote server, such as in:5
git remote --add origin https://username@gitlab.com/username/repository.git
You may do the same when cloning repositories from others6:
git clone https://username@gitlab.com/username/repository.git
Notes
-
Just in case you wonder, they also host the repository that generates this blog. ↩
-
I only use Windows on other people’s computers. This “feature” was an unpleasant discovery for me. ↩
-
It is highly probable to use a portable application on a foreign computer. Since
git
isn’t also a common program for non–coders, the portable version avoids having to install it. ↩ -
It would be possible to add the password. But this would be stupid, because you would be storing the password on a plain–text file. ↩
-
This only makes sense to be able to commit latter. ↩