Still can access account from device after changing account password

[bitcodenetwork]

Select Topic Area

Question

Body

I work using windows, by using the vscode version control plugin, I can connect to github, by logging in first, in this case I log in using email and password.

scenario:
I think, what if someone uses my device, and I forget to delete the github credential on my device. Then that person can manipulate my repo, even though the repo is private.

I tried to change my password on my github account via the website. But I'm confused, why after I changed my account password via the website, I can still push/pull from my device.

is there another way to secure my account/repo for that scenario?

thank you.

[thevindu-w]

If you authenticated using a Personal Access Token, then you can delete that token from https://github.com/settings/tokens (or https://github.com/settings/personal-access-tokens if you used a fine-grained token).
If you authenticated using the account password, you can remove that unwanted session from https://github.com/settings/sessions.

[rubikproxy]

When you change your GitHub account password, existing authentication tokens or cached credentials (such as those stored by Git or VSCode) might still allow access to your repositories. This happens because GitHub uses personal access tokens (PATs) or cached credentials for authentication instead of the password for API operations like push/pull.

what you can do to secure your account and repositories fully:

1. Revoke Cached Credentials

• Windows Credential Manager:
  Remove your cached GitHub credentials stored on your device:
  1. Open Control Panel → Credential Manager → Windows Credentials.
  2. Look for credentials associated with github.com.
  3. Delete them to prevent unauthorized access.
• Alternatively, clear the credentials used by VSCode or Git in your .git-credentials file if present.

2. Revoke Access Tokens

Changing your password doesn’t automatically revoke access tokens.

• Go to GitHub Settings → Developer Settings → Personal Access Tokens → Tokens (classic).
• Revoke any active tokens to block access through cached tokens.
• If you use SSH keys for authentication, delete the compromised keys under Settings → SSH and GPG Keys.

3. Enable Two-Factor Authentication (2FA)

Add an additional layer of security by enabling 2FA for your GitHub account:

• Go to GitHub Settings → Security → Enable Two-Factor Authentication.
• Use an authenticator app or SMS for 2FA.

4. Logout from All Sessions

To ensure no device retains access:

• Go to GitHub Settings → Security → Sessions.
• Log out of all active sessions, which will require re-authentication across devices.

5. Audit OAuth App and SSH Key Access

Check for any OAuth apps or SSH keys that might still have access:

• OAuth Apps: Revoke access to any unfamiliar or unnecessary applications under Settings → Applications.
• SSH Keys: Remove unused or suspicious SSH keys under Settings → SSH and GPG Keys.

6. Educate Yourself on VSCode Git Authentication

• VSCode often caches credentials using a credential helper (e.g., git-credential-manager). Clearing these credentials ensures that your session is no longer valid after a password change.
• For added security, use personal access tokens (PATs) instead of passwords for VSCode integration.

7. Disable GitHub Username and Password for Authentication

GitHub has deprecated password authentication for Git operations. Use PATs or SSH keys instead for secure access.

8. Bonus – Use Private Browsing and Device Access Controls

• Always lock your device or sign out of applications after use.
• Avoid storing credentials on shared or public systems.

By following these steps, you’ll ensure your GitHub account and repositories remain secure, even if someone else has access to your device.