GitHub’s site is a huge target for hackers. Its CEO thinks ditching passwords will improve security.

Thomas Dohmke sat down with Protocol to talk about what the open-source code hosting site is doing to address security vulnerabilities, including an aim to go passwordless by 2025.

Toronto , Canada - 22 June 2022; AI is my Copilot - Thomas Dohmke, GitHub on Centre Stage during day two of Collision 2022 at Enercare Centre in Toronto, Canada. (Photo By Vaughn Ridley/Sportsfile for Collision via Getty Images)

GitHub CEO Thomas Dohmke spoke to Protocol about its plan to go passwordless.

Photo: Vaughn Ridley/Sportsfile for Collision via Getty Images

GitHub CEO Thomas Dohmke wants to get rid of passwords.

Open-source software has been plagued with cybersecurity issues for years, and GitHub and other companies in the space have been taking steps to bolster security. Dohmke knows, however, that to get to the root of the industrywide problem will take more than just corporate action: It will ultimately require a sea change and cultural shift in how developers work.

Appointed CEO in November 2021, replacing Nat Friedman, Dohmke was previously the company’s chief product officer. In a June interview with Protocol at Toronto’s Collision tech conference, he talked about what GitHub is doing to crack down on software vulnerabilities and improve security at one of the most widely used sites in software development.

The open-source community has witnessed rising attacks against software supply chains, which are often enabled by compromised passwords. GitHub also hosts code written by millions of individual and corporate developers, playing a very key role in how software gets made while being a high-value target for hackers.

Part of the solution, according to Dohmke, is getting rid of passwords entirely. He told Protocol that he wants GitHub to go completely passwordless by 2025.

The first step of password security, he said, is moving to a password manager like 1Password. “The next step is that you never actually manage the password,” he said.

Some options for how this would work include magic links (a link sent to a trusted email account that users would click to log in) as well as face or touch ID, according to Dohmke. “It’s obviously a hard step to get there,” he acknowledged. The technology already exists, but getting it embedded in systems and processes is the challenge.

In the interim, the open-source platform has already taken steps to respond to recent cyberattacks. It announced in May that it will be requiring developers who contribute code to the repository to use two-factor authentication across its repositories by 2023. Currently, only 16.5% of GitHub users have two-factor authentication set up.

Dohmke thinks the resistance to two-factor is in part a cultural issue.

“We have been asking ourselves” why such a low segment of GitHub users have taken advantage of the extra security feature, he said. Part of it is the inconvenience factor. “Many people are lazy,” he said. The other part is the fear of losing that second factor when transitioning from one phone to another. He compared it to the stress people feel about getting locked out of a bank account.

He also thinks it has to do with, in part, a “lack of awareness” around cybersecurity and how important it is to have these systems set up to prevent attacks. Some developers in certain parts of the world also might not have access to two-factor tools, particularly if they don’t have access to a smartphone.

Another investment GitHub is making to bolster security is helping developers secure their code against vulnerabilities. This piece of the puzzle involves overcoming other cultural challenges within the developer community, according to Dohmke, which include getting developers to stop putting secrets and passwords in their code, “a bad practice” that can lead to hacks.

A big part of GitHub and parent company Microsoft’s job now, in his view, is educating developers on best practices and security topics. Developers that aren’t educated on these topics, according to Dohmke, are five times more likely to make a mistake. “These practices are important for any modern company,” he said.

During our interview, the CEO also addressed the looming recession and its potential impact on hiring and operations at GitHub, and shared his thoughts on hybrid work and the war for talent. Parent company Microsoft has slowed hiring in certain divisions, but GitHub has not slowed down its own hiring, other than seasonal slowdowns.

“Nothing to announce on layoffs or anything like that, and it’s not on my mind, but, you know, never say never. A recession is looming,” he said.


What the fate of 9 small tokens means for the crypto industry

The SEC says nine tokens in the Coinbase insider trading case are securities, but they are similar to many other tokens that are already trading on exchanges.

While a number of pieces of crypto legislation have been introduced in Congress, the SEC’s moves in court could become precedent until any legislation is passed or broader executive actions are made.

Illustration: Christopher T. Fong/Protocol

When the SEC accused a former Coinbase employee of insider trading last month, it specifically named nine cryptocurrencies as securities, potentially opening the door to regulation for the rest of the industry.

If a judge agrees with the SEC’s argument, many other similar tokens could be deemed securities — and the companies that trade them could be forced to be regulated as securities exchanges. When Ripple was sued by the SEC last year, for example, Coinbase chose to suspend trading the token rather than risk drawing scrutiny from federal regulators. In this case, however, Coinbase says the nine tokens – seven of which trade on Coinbase — aren’t securities.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Sponsored Content

They created Digital People. Now, they’ve made celebrities available as Digital Twins

Protocol talks to Soul Machines’ CEO about the power of AI in the metaverse

Keep Reading Show less
David Silverberg
David Silverberg is a Toronto-based freelance journalist, editor and writing coach. He writes for The Washington Post, BBC News, Business Insider, The Toronto Star, New Scientist, Fodor's, and several alumni magazines. He also writes for brands such as 23andme, Shopify and Bold Commerce. He has served as editor of B2B News Network, Canada's only B2B news magazine, and Digital Journal, a leading pioneer in citizen journalism. Find more about him at www.davidsilverberg.ca

Werner Vogels: Enterprises are more daring than you might think

The longtime chief technology officer talked with Protocol about the AWS customers that first flocked to serverless, how AI and ML are making life easier for developers and his “primitives, not frameworks” stance.

"We knew that if cloud would really be effective, development would change radically."

Photo: Amazon

When AWS unveiled Lambda in 2014, Werner Vogels thought the serverless compute service would be the domain of young, more tech-savvy businesses.

But it was enterprises that flocked to serverless first, Amazon’s longtime chief technology officer told Protocol in an interview last week.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.


Dark money is trying to kill the Inflation Reduction Act from the left

A new campaign is using social media to target voters in progressive districts to ask their representatives to vote against the Inflation Reduction Act. But it appears to be linked to GOP operatives.

United for Clean Power's campaign is a symptom of how quickly and easily social media allows interest groups to reach a targeted audience.

Photo: Anna Moneymaker/Getty Images

The social media feeds of progressive voters have been bombarded by a series of ads this past week telling them to urge their Democratic representatives to vote against the Inflation Reduction Act.

The ads aren’t from the Sunrise Movement or other progressive climate stalwarts, though. Instead, they’re being pushed by United for Clean Power, a murky dark money operation that appears to have connections with Republican operatives.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).


A game that lets you battle Arya Stark and LeBron James? OK!

Don’t know what to do this weekend? We’ve got you covered.

Image: Toho; Warner Bros. Games; Bloomberg

This week we’re jumping into an overnight, free-to-play brawler; one of the best Japanese dubs we’ve heard in a while; and a look inside a fringe subculture of anarchists.

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.

Latest Stories