Keeping your account and data secure

You can securely access your account's resources by authenticating to GitHub, using different credentials depending on where you authenticate.

Secure your account on GitHub.com with a strong and unique password using a password manager.

You can stay signed in to multiple GitHub.com accounts and managed user accounts and quickly jump between sessions.

GitHub credentials include not only your password, but also the access tokens, SSH keys, and application API tokens you use to communicate with GitHub. Should you have the need, you can reset all of these access credentials yourself.

You can use a personal access token in place of a password when authenticating to GitHub in the command line or with the API.

To keep your credentials secure, you should regularly audit your SSH keys, deploy keys, and review authorized applications that access your account on GitHub.com.

You should review deploy keys to ensure that there aren't any unauthorized (or possibly compromised) keys. You can also approve existing deploy keys that are valid.

Your tokens can expire and can also be revoked by you, applications you have authorized, and GitHub itself.

You can review the security log for your personal account to better understand actions you've performed and actions others have performed that involve you.

Learn about security log events recorded for your personal account.

If you commit sensitive data, such as a password or SSH key into a Git repository, you can remove it from the history.

If you upload an image or video to GitHub, the URL of the image or video will be modified so your information is not trackable.

GitHub serves applications from multiple IP address ranges, which are available using the API.

Public key fingerprints can be used to validate a connection to a remote server.

To confirm access to your account before you perform a potentially sensitive action, GitHub.com prompts for authentication.

You may be alerted to a security incident in the media, such as the discovery of the Heartbleed bug, or your computer could be stolen while you're signed in to GitHub.com. In such cases, changing your password prevents any unintended future access to your account and projects.

You can view and revoke your active sessions in your settings.