How is git credential manager core for windows secure if it displays token

Asif Kamran Malick picture Asif Kamran Malick · Mar 24, 2021 · Viewed 11.1k times · Source

I have credential.helper=manager-core, which is the new helper for windows credential manager. I don't understand how is it secure if you can get git to display your credentials with git credential fill.

Steps to reproduce

  1. confirm the credential helper by executing command git config --system --list. If you are running Git for Windows 2.29 or later, then you should be able to see credential.helper=manager-core in the list. For earlier versions the credential.helper is set to manager and not manager-core. I'm running the latest Git For Windows 2.29.2 , so for me it return manager-core.
  2. Next, if your credentials have been stored by the helper, then below command should return the credentials on stdout :
git credential fill
protocol=https
host=github.com`
<HIT ENTER KEY TWICE, as A blank line signals input completion>
  1. The credentials should now display on your console. It is able to display password/token based on whatever you initially configured your git with. In my case I had authenticated with a GitHub personal access token and it displayed that pat.

Answer

bk2204 picture bk2204 · Mar 24, 2021

What you've noticed is that if you invoke git credential fill in the same way as Git does, then it will output the credentials that Git uses to authenticate you. This is useful because Git needs some way to get them out, and it's also possible for you to use a token by extracting it in this way to make API calls if you need to.

The reason this is secure is because if you've properly configured an appropriate credential manager, the data is stored in an encrypted format, and it's only unlocked either when you log in or when you otherwise unlock it. How that works on Windows depends on how you have Git Credential Manager Core configured, but the libsecret helper I use on Linux stores the data encrypted in my system keychain, which is unlocked when I log in, and is not available when I'm not logged in.

Note that in many cases, you can extract similar data using other APIs that the credential store uses, such as (on Linux) secret-tool or the like, so the fact that you can print it to the terminal using git credential fill is no different than your ability to use any other API to print it to the terminal or view it using the typical viewer you use on your system.