Keeping your account and data secure

To protect your personal information, you should keep both your GitHub account and any associated data secure.

  • About authentication to GitHub

    You can securely access your account's resources by authenticating to GitHub, using different credentials depending on where you authenticate.

  • Creating a strong password

    Secure your GitHub account with a strong and unique password using a password manager.

  • Updating your GitHub access credentials

    GitHub credentials include not only your password, but also the access tokens, SSH keys, and application API tokens you use to communicate with GitHub. Should you have the need, you can reset all of these access credentials yourself.

  • Creating a personal access token

    You should create a personal access token to use in place of a password with the command line or with the API.

  • Reviewing your SSH keys

    To keep your credentials secure, you should regularly audit your SSH keys, deploy keys, and review authorized applications that access your GitHub account.

  • Reviewing your deploy keys

    You should review deploy keys to ensure that there aren't any unauthorized (or possibly compromised) keys. You can also approve existing deploy keys that are valid.

  • Authorizing OAuth Apps

    You can connect your GitHub identity to third-party applications using OAuth. When authorizing an OAuth App, you should ensure you trust the application, review who it's developed by, and review the kinds of information the application wants to access.

  • Authorizing GitHub Apps

    You can authorize a GitHub App to allow an application to retrieve information about your GitHub account and, in some circumstances, to make changes on GitHub on your behalf.

  • Reviewing your authorized integrations

    You can review your authorized integrations to audit the access that each integration has to your account and data.

  • Connecting with third-party applications

    You can connect your GitHub identity to third-party applications using OAuth. When authorizing one of these applications, you should ensure you trust the application, review who it's developed by, and review the kinds of information the application wants to access.

  • Reviewing your authorized applications (OAuth)

    You should review your authorized applications to verify that no new applications with expansive permissions are authorized, such as those that have access to your private repositories.

  • Reviewing your security log

    You can review the security log for your user account to better understand actions you've performed and actions others have performed that involve you.

  • Removing sensitive data from a repository

    If you commit sensitive data, such as a password or SSH key into a Git repository, you can remove it from the history. To entirely remove unwanted files from a repository's history you can use either the git filter-branch command or the BFG Repo-Cleaner open source tool.

  • About anonymized URLs

    If you upload an image or video to GitHub, the URL of the image or video will be modified so your information is not trackable.

  • About GitHub's IP addresses

    GitHub serves applications from multiple IP address ranges, which are available using the API.

  • GitHub's SSH key fingerprints

    Public key fingerprints can be used to validate a connection to a remote server.

  • Sudo mode

    GitHub asks you for your password before you can modify your email address, authorize third-party applications, or add new public keys, or initiate other sudo-protected actions.

  • Preventing unauthorized access

    You may be alerted to a security incident in the media, such as the discovery of the Heartbleed bug, or your computer could be stolen while you're signed in to GitHub. In such cases, changing your password prevents any unintended future access to your account and projects.

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.