GitHub CEO Thomas Dohmke wants to get rid of passwords.
Open-source software has been plagued with cybersecurity issues for years, and GitHub and other companies in the space have been taking steps to bolster security. Dohmke knows, however, that to get to the root of the industrywide problem will take more than just corporate action: It will ultimately require a sea change and cultural shift in how developers work.
Appointed CEO in November 2021, replacing Nat Friedman, Dohmke was previously the company’s chief product officer. In a June interview with Protocol at Toronto’s Collision tech conference, he talked about what GitHub is doing to crack down on software vulnerabilities and improve security at one of the most widely used sites in software development.
The open-source community has witnessed rising attacks against software supply chains, which are often enabled by compromised passwords. GitHub also hosts code written by millions of individual and corporate developers, playing a very key role in how software gets made while being a high-value target for hackers.
Part of the solution, according to Dohmke, is getting rid of passwords entirely. He told Protocol that he wants GitHub to go completely passwordless by 2025.
The first step of password security, he said, is moving to a password manager like 1Password. “The next step is that you never actually manage the password,” he said.
Some options for how this would work include magic links (a link sent to a trusted email account that users would click to log in) as well as face or touch ID, according to Dohmke. “It’s obviously a hard step to get there,” he acknowledged. The technology already exists, but getting it embedded in systems and processes is the challenge.
In the interim, the open-source platform has already taken steps to respond to recent cyberattacks. It announced in May that it will be requiring developers who contribute code to the repository to use two-factor authentication across its repositories by 2023. Currently, only 16.5% of GitHub users have two-factor authentication set up.
Dohmke thinks the resistance to two-factor is in part a cultural issue.
“We have been asking ourselves” why such a low segment of GitHub users have taken advantage of the extra security feature, he said. Part of it is the inconvenience factor. “Many people are lazy,” he said. The other part is the fear of losing that second factor when transitioning from one phone to another. He compared it to the stress people feel about getting locked out of a bank account.
He also thinks it has to do with, in part, a “lack of awareness” around cybersecurity and how important it is to have these systems set up to prevent attacks. Some developers in certain parts of the world also might not have access to two-factor tools, particularly if they don’t have access to a smartphone.
Another investment GitHub is making to bolster security is helping developers secure their code against vulnerabilities. This piece of the puzzle involves overcoming other cultural challenges within the developer community, according to Dohmke, which include getting developers to stop putting secrets and passwords in their code, “a bad practice” that can lead to hacks.
A big part of GitHub and parent company Microsoft’s job now, in his view, is educating developers on best practices and security topics. Developers that aren’t educated on these topics, according to Dohmke, are five times more likely to make a mistake. “These practices are important for any modern company,” he said.
During our interview, the CEO also addressed the looming recession and its potential impact on hiring and operations at GitHub, and shared his thoughts on hybrid work and the war for talent. Parent company Microsoft has slowed hiring in certain divisions, but GitHub has not slowed down its own hiring, other than seasonal slowdowns.
“Nothing to announce on layoffs or anything like that, and it’s not on my mind, but, you know, never say never. A recession is looming,” he said.