Sorry for an absolute mouthful of a post title. I couldn’t find any better way to describe it! In August 2021, Github removed the support for password authentication with GIT repositories. What that essentially means is that if you were previously using your actual Github username/password combination when using GIT (Both private and public repositories), you’re probably going to see the following error :
remote: Support for password authentication was removed on August 13, 2021. Please use a personal access token instead. remote: Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ for more information. fatal: unable to access “…” : The requested URL returned error: 403
The above error message links to a post that goes into some detail about why this change has been made. But in short, using access tokens instead of your actual Github password benefits you because :
The token is unique and is not re-used across websites
The token can be generated per device/per use
The token can be revoked at any point in time if leaked, and will only affect those using that specific token instead of the entire Github account
The scope of the token can be limited to only allow certain actions (e.g. Only allow code commit but not edit the user account)
The token itself is random and isn’t subject to things like dictionary attacks
All sounds pretty good right! Now while the error message is surprisingly helpful, it doesn’t actually go into details on how to switch to using personal access tokens. So hopefully this should go some way to helping!
Generating A Personal Access Token On Github
This is the easy part. Simply go to the following URL : https://github.com/settings/tokens, and hit Generate New Token. You’ll be asked which permissions you want to give your new token. The main permissions are going to be around repository actions like so :
The expiration is up to you however a short duration means that you’ll have to run through this process again when the token runs out.
Hitting generate at the bottom of the page will generate your token and show it to you once. You cannot view this token again so be ready to use it! And that’s it, you have your new personal access token! But.. Where to stick it?
Removing Old GIT Passwords
This is the part that took me forever. While I had the new access token, my GIT client of choice (SourceTree) never prompted me to enter it. This is where things go slightly haywire. I’m going to give some hints where to go, and what I did for Sourcetree on Windows, but you’ll need to vary your instructions depending on which client and OS you are using.
The first place to check on Windows is the Credential Manager. Simply type Credential Manager into your start bar, open the Credential Manager, then switch to “Windows Credentials” like so :
You’ll be shown a set of credentials in this list that have been saved. Your GIT credentials may be in this list. If they are, simply delete them, then continue on. If not then we need to delve into how our specific GIT client actually stored passwords.
For Sourcetree that means going to the following folder on Windows : C:Users<username>AppDataLocalAtlassianSourceTree, and finding a file simply titled “passwd”. Open this, find your GIT credentials and delete them.
Again, your mileage is always going to vary on this step. The main point is that you need to find your credential cache for your GIT client, and delete your old credentials. That’s it!
Entering Your Access Token
In your GIT client, simply pull/push your code and you should be prompted to enter your new credentials because, with the last step, we just deleted the stored credentials we had previously.
Simple enter your Github Username with your Personal Access Token in place of your password. That’s it! Your access token essentially functions like your password in terms of what your GIT client thinks it’s doing, so it’s nice and easy!