Keywords: GitHub | Personal Access Token | Authentication Security
Abstract: This article analyzes the technical background of GitHub's deprecation of password authentication, focusing on how to use personal access tokens for Git operations. Using macOS as a primary example, it demonstrates the complete process from token generation to secure storage in Keychain, while discussing solutions for Windows and cross-platform environments. It emphasizes security best practices to avoid plaintext token storage risks, compares different approaches from community answers, and provides comprehensive guidance for a smooth transition to token-based authentication.
Recently, many Git users encountered an error when pushing code: "Password authentication is temporarily disabled as part of a brownout. Please use a personal access token instead." This signals GitHub's gradual phase-out of traditional username-password authentication in favor of more secure token-based mechanisms. This article delves into the technical aspects of this change and provides detailed operational guidance.
Technical Background and Authentication Evolution
In 2020, GitHub announced that to enhance security for API and Git operations, it would gradually require the use of personal access tokens (PATs) instead of passwords. This shift addresses inherent risks of password authentication: passwords may be reused, vulnerable to brute-force attacks, and potentially intercepted during transmission. In contrast, tokens offer finer-grained permission control, configurable expiration, and can be revoked individually without affecting the main account password.
Generating a Personal Access Token
First, navigate to the developer settings in GitHub (Settings → Developer settings → Personal access tokens). Click "Generate new token" and select the required scopes based on your needs. For basic Git operations, typically the "repo" scope is necessary. Copy the token immediately after generation, as it will only be displayed once.
macOS: Secure Storage in Keychain
On macOS, the most secure method is to store the token in the system Keychain Access, avoiding plaintext storage. Open the Keychain app and search for "github.com" entries. If old password records exist, it's advisable to delete them to ensure the new token is used. Then, when performing Git operations in the terminal, the system will prompt for credentials: enter your GitHub account email as the username and paste the generated token as the password. Keychain will automatically save this information, eliminating the need for repeated entries in subsequent operations.
# Example: First push triggers credential storage
git push origin main
# Terminal prompt:
Username for 'https://github.com': your-email@example.com
Password for 'https://your-email@github.com': [paste token]Windows and Cross-Platform Solutions
For Windows users, Git Credential Manager (GCM) is the officially recommended credential storage tool. It is typically included with Git for Windows installation. When first prompted for credentials during an operation, GCM will pop up a window requesting username and token, automatically saving them to Windows Credential Manager. Linux users can use git-credential-store or third-party tools like pass for secure storage.
Avoiding Plaintext Token Storage
Directly modifying the remote URL to embed the token (e.g., git remote set-url origin https://<token>@github.com/<repo>) is convenient but stores the token in plaintext within the .git/config file, posing a security risk. Therefore, using system-level credential management tools is preferred.
Cache and Timeout Configuration
To improve efficiency, Git credential caching can be configured. The following commands set a global cache with a one-hour timeout:
git config --global credential.helper cache
git config --global credential.helper 'cache --timeout=3600'Note that the cache is only stored temporarily in memory and expires after a restart, making it suitable for short-term development scenarios.
Troubleshooting and Best Practices
If operations still fail after setup, check if old entries in Keychain or Credential Manager are interfering, and delete them completely before retrying. Ensure the token has sufficient permissions (e.g., repo scope for pushing). Regularly rotate tokens and revoke them when no longer needed. For team projects, consider using GitHub Apps or OAuth tokens for more granular permission management.
In summary, GitHub's authentication evolution promotes more secure development practices. By correctly generating and using personal access tokens, combined with system credential management tools, developers can not only resolve current errors but also enhance overall account security. As technology advances, mastering these skills is crucial for modern software development.