What is the reasoning behind github access tokens?

Question

And are they more secure or less secure than SSH key pairs.

I am using these instead of SSH key pairs, as referenced on github. And it appears to me that they are just randomized complex passwords.

I authenticate now by putting my username / token in, instead of my username / password. I don't see how this can provide better security than a password.

I'm not opposed to using them, but they just seem like auto-generated passwords. It would also appear they are less secure than SSH.

Answer 1

There are a couple reasons for using GitHub access tokens instead of passwords:

• Tokens are pseudorandomly generated, so performing a brute-force guessing attack is infeasible.
• Tokens have a fixed form, which lets them be recognized by secret-scanning software, which can then alert the user or revoke them.
• Tokens can be more narrowly scoped than passwords and therefore they can be expired or revoked easily in case of compromise without worrying about compromising the entire account.

However, they are still a bearer credential: you have to pass them to the remote system just like a password.

SSH keys are more secure because they use asymmetric cryptography. When the SSH session is created, a one-time shared secret is derived, and your key is only used to sign data derived from that secret. You never send your keys over the connection, and consequently, as long as you keep your private key safe, even an attack who can compromise the other side cannot compromise your keys.

As VonC noted, tokens are used over HTTPS and SSH keys are used over SSH, so they aren't interchangeable.