@ckraft They are encrypted, but I don't see how that solves the problem? I still have to somehow carry my keys with me and transfer them to the machine I'm working on and they would still be scattered around on machines I may never touch again which isn't secure encrypted or not. If I know I'm not going to touch the machine again I can delete them, but it's just too much hassle that I don't have the time or energy to deal with.
I've already migrated my major projects to a different service with much more flexibility.
I agree that separating the account password from the repo password is a good idea, it's just not implemented in a way that's manageable. I don't use bitbucket as a secure store I use it as a convenience and it's no longer convenient.
Atlassian Team members are employees working across the company in a wide variety of roles.
March 3, 2022 edited
@Jon Mckeever and @Marc Reig as is common practice with software feature releases, we often do staggered rollouts. So, in this case some users could potentially be able to use their account password for a couple of days after the official March 1, 2022 date. This appears to be the scenario both of you experienced. However, we very strongly advise youto switch to app passwords immediately as you could face unexpected disruption by the removal of your ability to authenticate with your account password for Git over HTTPS and API at any time after March 1, 2022. To avoid any disruption, I strongly advise you to migrate to app passwords ASAP.
I'm a very LOW-level user of GIT and bitbucket, and I've read all the comments in this chain but they may as well be in a language foreign to me.
I had been using the windows git from the command line and that HAD BEEN working with what I presume was my *account* password but trying to do a git pull from one of the repositories in my workgroup this morning, the following messages were returned:
Logon failed, use ctrl+c to cancel basic credential prompt. Password for 'https://<myusername>@bitbucket.org': remote: Bitbucket Cloud recently stopped supporting account passwords for Git authentication. remote: See our community post for more details: https://atlassian.community/t5/x/x/ba-p/1948231 remote: App passwords are recommended for most use cases and can be created in your Personal settings: remote: https://bitbucket.org/account/settings/app-passwords/ fatal: Authentication failed for 'https://<myusername>@bitbucket.org/<workgroupname>/<repository_id>.git/'
I went to the link recommended to set an 'app password' and had NO IDEA what permissions I needed to set. Should I have just checked EVERY one of the permissions?
I guess what I'm asking is...is there an "Atlassian App Passwords for Dummies" posting out there somewhere?
Thanks in advance for whatever guidance anyone (David D.?) can provide.
Perhaps my query is very similar to the post by Renee Dubuc just above.
Atlassian Team members are employees working across the company in a wide variety of roles.
March 3, 2022 edited
@Clemens Wendt sorry for the disruption. For clarification, the email we provided Monday, February 28, 2022, was not the only notification of this change we sent to customers. We have been notifying customers on multiple channels starting in September 2021 via blog (in September 2021), multiple emails (starting in November last year), and, since mid-January, a terminal warning each time a user used their account password with the Git over HTTPS protocol. Furthermore, we believe the error messaging we put in place for those affected by the rollout of this change allows for a relatively quick, DIY resolution.
For a Git push to Bitbucket Cloud to get your code checked in, it should be relatively quick to create an app password and use that in place of your account password to push your code to Bitbucket Cloud. However, for those using an account password for Basic authentication in CI/CD pipelines and similar automated DevOps and GitOps flows it could take a bit more time to migrate over to app passwords which is why we were proactive in notifying customers well ahead of time of this change.
I'm sorry for the disruption this has caused you. Please let us know if you have any questions or issues once you have created an app password and tried using it in place of your account password to get your code pushed to your Bitbucket Cloud repository.
Atlassian Team members are employees working across the company in a wide variety of roles.
March 3, 2022 edited
@_JK_ Kalenowsky we had already updated our community post a couple of days to include a link to the documentation detailing the differing privilege scopes for app passwords under the "Why are we making this change?" section. You can find that documentation here. Please note, this documentation is in our REST API documentation space, but these same privilege scopes are used for app passwords as well.
@David Dansby I was aware of the change coming, I'm NOT 'complaining' about that. BUT now that the change HAS happened, I need some help!
WHAT boxes I should check when trying to create the App password? As I read all of the documentation that was pointed to in the announcements, I'm sure it was quite clear to the more savvy users of "your"/Atlassian's product/service. TO ME, a "LOW-LEVEL" user as I described myself as I opened my comment, it was all "foreign language" and Google Trnslate offered no help
My request was for an "Atlassian App Passwords for Dummies" (or something along those lines) that describe, in terms simple and clear enough to me, WHICH of the 47,000 permission boxes I should check in that App password creation web page for what I do (okay, so it's only 24 boxes, not 47,000). And "what happens next", once I create (hopefully successfully) that App password.
I have been using an app password instead of an account password since long before this change. Today I tried to pull on IntelliJ and I was prompted for my password. I typed in my app password and I got this:
This change is garbage and w/ very little heads up. I've been spending hours trying to get this working in our current deployment script. I'm doing everything you say to do but it simply doesn't work.
Atlassian Team members are employees working across the company in a wide variety of roles.
March 4, 2022 edited
@Chris Astles can you please provide me with more details so I can try and assist you.
When in IntelliJ are you trying Git pull from inside the terminal in IntelliJ? Are you sure you are using a new app password with the correct perm scopes? You created the app password in your Bitbucket Cloud account's Personal Settings, correct (i.e., here https://bitbucket.org/account/settings/app-passwords/)? If so, then you can look inside your app passwords in settings and see if/when it was used.
Atlassian Team members are employees working across the company in a wide variety of roles.
March 4, 2022 edited
@Chris Silveysorry for the disruption. If you explain your issue I can try and assist you. Please let me know
For clarification, the email we provided Monday, February 28, 2022, was not the only notification of this change we sent to customers. We have been notifying customers on multiple channels in hopes they would take action prior to this change to avoid any potential disruption. This started in September 2021 via blog (in September 2021), multiple emails (startingin November last year), and, since mid-January, a terminal warning each time a user used their account password with the Git over HTTPS protocol.
Atlassian Team members are employees working across the company in a wide variety of roles.
March 4, 2022 edited
@_JK_ Kalenowsky unfortunately, we don't have documentation that is as explicit as what you stated, "Atlassian App Passwords for Dummies". I personally wish we did :(
However, let me try and help you quickly. If you are just using an app password for pushing and pulling from your local repositories on your computer to your Bitbucket Cloud account, then you should only require
Repositories: Read and Write (pro-tip: you can just click Write and it will also select Read)
Snippets: Read and Write
If you don't use Snippets you will not need this, but I recommend this just in case you want to make a Snippet and push/pull from it in your Bitbucket Cloud account in the future.
@David Dansby I did indeed make those changes and used the app password instead of the account password as instructed in the docs.
I was able to finally get it working after hours of trying to find out what was causing it. We use a repo called BuildSuite for Commerce Cloud which allows us to use grunt and npm run commands to deploy our Master repo to our website.
Inside of the BuildSuite repo, there was a folder called exports which contained our Master repo code. For whatever reason, after deleting what was inside of that folder the deployment started working again and I no longer received the "Warning: remote: Bitbucket Cloud recently stopped supporting account passwords for Git authentication." error.
Not sure exactly how that fixed the issue but it did, thanks!
You guys should have given a prompt in VS 2019 extension UI or correct error in output window. I wasted several hours trying to figure out what's the problem. Better option would be to provide a prompt of these changes on Bitbucket's website where we have option to clone a repo. So that in case someone having problem and trying to see if can access repo and clone from web/
Atlassian Team members are employees working across the company in a wide variety of roles.
March 7, 2022 edited
@Musab Gulfam can you provide more details with your issue so that I can try and help you. Where are you seeing this "Authentication failed" error? In your terminal, while you try and push/pull/fetch from your Bitbucket Cloud repo or while trying to use the Bitbucket Cloud API, or somewhere else?
Unfortunately, as we do not own this extension and the original creator appears to no longer maintain it, we are not responsible for its error messages and updates. I did make an issue in the GitHub repository for the extension explaining how this change may affect users that are using the extension in the hopes that they may see it.
But yes, if you are using this extension and still using your account password then you will most likely get an error when authenticating with this Bitbucket extension for Visual Studio. You will need to update to an app password as you noted.
Lastly, I want to warn you of using that extension, because, as stated above, we do not own it and it appears to no longer be maintained. So, you run the risk of having other issues in the future by using it.
Let me know if you have any other questions around this app password change.
Atlassian Team members are employees working across the company in a wide variety of roles.
March 8, 2022 edited
@urias are you using Sourcetree on Windows? If that is the case then there is an issue with the Git credential manager that Windows uses that causes issues when updating credentials in Sourcetree on Windows. Currently, it appears the only way to resolve this issue is to do a full reinstall. I detail the steps to resolve the issue in this Sourcetree community post, please visit it and walk through the suggest steps until you resolve your issue: https://community.atlassian.com/t5/Sourcetree-questions/App-password-SourceTree/qaq-p/1959470
And to clarify, this is not an app password issue but a Sourcetree issue specific to the Windows version.
283 comments