I have credential.helper=manager-core
, which is the new helper for windows credential manager. I don't understand how is it secure if you can get git to display your credentials with git credential fill
.
Steps to reproduce
git config --system --list
. If you are running Git for Windows 2.29 or later, then you should be able to see credential.helper=manager-core
in the list. For earlier versions the credential.helper
is set to manager
and not manager-core
. I'm running the latest Git For Windows 2.29.2 , so for me it return manager-core
.git credential fill
protocol=https
host=github.com`
<HIT ENTER KEY TWICE, as A blank line signals input completion>
What you've noticed is that if you invoke git credential fill
in the same way as Git does, then it will output the credentials that Git uses to authenticate you. This is useful because Git needs some way to get them out, and it's also possible for you to use a token by extracting it in this way to make API calls if you need to.
The reason this is secure is because if you've properly configured an appropriate credential manager, the data is stored in an encrypted format, and it's only unlocked either when you log in or when you otherwise unlock it. How that works on Windows depends on how you have Git Credential Manager Core configured, but the libsecret
helper I use on Linux stores the data encrypted in my system keychain, which is unlocked when I log in, and is not available when I'm not logged in.
Note that in many cases, you can extract similar data using other APIs that the credential store uses, such as (on Linux) secret-tool
or the like, so the fact that you can print it to the terminal using git credential fill
is no different than your ability to use any other API to print it to the terminal or view it using the typical viewer you use on your system.