Farewell .netrc, Welcome Git Credentials

Lately at work, concern was raised about the use of a .netrc file to store one’s Git credentials.

The .netrc file has been introduced in Unix a long time ago as a mean to avoid entering username and password again and again when frequently connecting to the same FTP sites. The .netrc is a plaintext file where credentials are stored in clear and as such it is very insecure. In order to mitigate this, some programs will refuse to read it unless it is only readable by yourself.

We can do better.

As of version 1.7.9, Git introduced a “credential API” meant to let $ git push and $ git fetch talk to external programs to cache or store username/password used in HTTP transactions. This effectively allows integration with platform native keychains.

Git comes with two stock credential helpers: cache and store.

$ git config --global credential.helper "cache --timeout=3600"

Will cache your credentials in memory for one hour, after you entered them for the first time.

$ git config --global credential.helper store

Will store your credentials in the unencrypted ~/.git-credentials file which in fact isn’t any better than using a .netrc file.

However, beside those two stock helpers, there are additional credential helpers meant to integrate with platform native keychains. And in fact, they’re likely already bundled with your Git distribution.

Git for Windows:

$ git config --global credential.helper wincred

Stores the credentials inside the Windows Credentials Store (hit the Windows key, type “Credential Manager” then launch the application to see what’s in there).

Git for Mac:

$ git config --global credential.helper osxkeychain

Stores the credentials inside the OS X Keychain.

Git for Linux:

$ git config --global credential.helper gnome-keyring

Stores the credentials inside Gnome Keyring (better suits Gnome based distributions).

Hope that helps!