Announcement: Bitbucket Cloud account password usage for Git over HTTPS and API ending March 1, 2022

Thanks for the heads up! 🙏

작업할때의 프로토콜의  사용지침서에 따라 에러가 날시 대처기술이 있을까요~???^^

It stopped working today or are the servers down? I cannot commit anything.

@svenbader this change has not been implemented yet, so the issue you are experiencing is completely unrelated. Committing on your local machine/directory is unrelated to Bitbucket Cloud. Are you trying to commit in Bitbucket Cloud itself or your local machine/directory? We have not seen/heard of any issues with committing on Bitbucket Cloud itself.

I also tried with some of my personal repos myself and didn't experience any issues committing within Bitbucket Cloud. If you are having issues committing on your local directory (i.e., before you push to Bitbucket Cloud) then the issue is most likely to related to git on your local machine; there could be a number of reasons for such an issue.

@David Dansby  I commited to bitbucket cloud, I added the repositories to phpstorm using the https-URL: https://myusername@bitbucket.org/myusername/myrepository.git years ago. The error message was "Push failed, remote: Invalid username or password". Now it is working so maybe it was a temporarily problem on my machine or someone of your team is testing the changes for March1st ;-)

@svenbader I can say with 100% confidence that the issue you experienced is completely unrelated to this upcoming change. Also, to clarify, the issue you experienced is related to pushing, not committing.  Furthermore, testing is never done on production servers. 

Based on the error message you provided and without knowing more, I would surmise the most likely issue is that your password was entered incorrectly; I personally have this happen to me all the time on my local computer because I always type my password wrong hah :(. However, I'm glad you got it working without any further assistance :) 

Let us know if you experience anything else weird and/or related, especially after March 1.

Happy coding,

David

Migrating off of Bitbucket because of this. It's been a fun 9 years, but I need to be able to access my repos with a static typable password. It isn't feasible nor secure to add my ssh key on all of the machines where I may be committing a change and the app passwords are a nightmare to try to type much less remember, not to mention you can only see them once. If I could set my own app password maybe, but as it stands it's unusable for me.

Regretfully this has been a massive headache for me this month as there is something in my git credentials that prevents the revision.

I submitted my issue to Stack Overflow - https://stackoverflow.com/questions/71269362/ - without success, perhaps you could advise what I should do, if you succeed I can post this on Stack Overflow in case someone else encounters the same problem.

Rhinor 

------

David Dansby's suggestions below resolved the issue. Many thanks.

@rhinor the answer in that StackOverflow discussion is along the right lines, so I'm curious what is still the issue. You may be missing a step or too (the answer provided in there wasn't the most detailed).

I see that you are using a Macbook, so the following is trying to closely align with Mac OSX.

Can you please tell me if, when you push/pull from Bitbucket Cloud, your terminal is prompting you to enter your password? If you are not being asked to enter your password/credentials then I imagine you are not seeing the terminal prompt you for your password for authentication, because typically a lot of OS systems store your credentials after the first successful use of the password for that specific Git remote URL. 

If you are using a Mac then your password is most likely being stored in its credential manager, OS X Keychain. To determine what credential manager Git is using to store credentials/password you can follow use the steps in the Cause section of the following Bitbucket knowledge base post to find out where they are being stored (this is similar to the answer in the StackOverflow thread): 

https://confluence.atlassian.com/bbkb/why-am-i-not-prompted-for-password-when-pushing-or-pulling-to-my-repositories-in-bitbucket-cloud-via-https-800293400.html#:~:text=The%20most%20likely%20reason%20for,c)%20for%20a%20specific%20repository.

Once you determine where your credentials are being stored you can do 1 of 2 things:

First, please ensure you create an app password.

1. This is the step I personally prefer: determine where your credentials are being stored in the Cause section of the link I provided above,
   1. Remove those stored credentials.
      
      1. For example, on my Macbook, my creds are being stored in Keychain Access app which is the app associated with the git config credential.helper osxkeychain.
   2. In this case, the next time you go to push/pull to Bitbucket Cloud from your terminal again you will be prompted to enter your password.
   3. Enter your new app password and then the credential manager Git is using should store this app password
   4. Next time you push/pull you should no longer see the error messaging and will not be impacted the change on March 1, 2022
2. I personally do not prefer this because then you have to enter your password every single time you push/pull: use the Resolution section in the support link I provided above
   1. Unset the credential manager Git uses.
   2. Next, time you push/pull your terminal will prompt you to enter your password. 
   3. Enter your app password going forward to avoid seeing the error message, and importantly to avoid being impacted by the change on March 1, 2022 going foward.

Please let me know if this helps.

I followed the instructions. When I'm trying to enter the app password on sourcetree it says:

Failed to get user details for user [my user]

you do not have permission to access URL 'https://api.bitbucket.org/2.0/user. The request returned with the statuts code 'Unauthorized'

What should I do?

Account settings on sourcetree:

Hosting service:  Bitbucket

Protocol: HTTPS

Authentication: Basic

Username: my username

I push my changes to AWS server using basic authentication over AWS SSH. Do I have to now use the app password instead?

How is it I am just getting this email now, less than 24 hours before these changes are being applied?? I understand the reason but the drop everything and do this right this second is absurd!! 

This change appears to have broken my Sourcetree install.  I've followed the information on how to create a temp application password, and have added this to the authentication details in Sourcetree's options.  The app shows "authentication OK", yet when I try to interact with my repo I'm seeing a "SSL certificate problem: unable to get local issuer certificate".  
Atlassian - have you fully vetted the changes to this?

UPDATE:  I'm seeing that firewalls appear to be blocking some elements in this new authentication mechanism.  I found that disabling mine does indeed allow my Sourcetree install to once again talk to Bitbucket Cloud.  Not sure what the internal reasons are for the breakage, but this might be necessary workaround.

@beef623 I can personally relate to your frustration but we (i.e., Bitbucket Cloud) believe this change is necessary for the overall security of our users in order to protect against credential scanning attacks.

TBH, I have some of the same concerns/annoyances as you with regards to dealing with app passwords for my personal Bitbucket Cloud account. This may not be the best resolution for your situation, but you could use a password manager to store your app password so you don't have to memorize it. It's what I personally use. It's not a perfect solution, but it works pretty well for me; maybe it can assist with your concerns as well.

Best,

David

You are not developer, and not admin too.

It is so stupid. I need access to my repositories from dozens of different computers. I need HTTPS access.

@Kevin Matlock thank you for the update. I was actually just about to respond. We haven't experienced this issue on our side testing with Sourcetree. I'm glad you got it working. To clarify, the Firewalls you reference on specific to you (or your company), correct?

@David Dansby yes it's a client-side firewall product that my company has deployed.  I suspect it's just a matter of white-listing Sourcetree for this necessary network traffic, which I'll work with our network admins on.  I felt it was worth mentioning in case others have a similar sudden breakage just to understand the root cause.

@Kevin Matlock definitely agree! We are grateful for updates on resolutions you have found as it can definitely help others that may be experiencing similar issues. Thank you very much for that.

-- 03-Mar-2022 Final UPDATE and SUCCESS!

For those that are working on Linux servers via HTTPS, I finally got the app password to work. The first clue was made by @Alexander Higgins so thank you for your comment about username and checking what this is set to in your profile.

"HTTPS - I was previously able to connect using the email associated with my Atlassian account which was `firstName.lastName@myCompanyDomain.com`. This does not work for app passwords with https . You need to use the username which shows in settings under your Atlassian account."

Even after I updated this, I was still getting the warning. This is because the credential manager has cached your old password. I tried rebooting my server, but it's still cached some place else beside memory and beside the config files. So if you clear your passwords at all levels explicitly by:

git config --local --unset user.password

git config --global --unset user.password

git config --system -unset user.password (might need to be root via sudo)

It will prompt for the new app password and the warning message goes away.

You can restore using your new app password by

git config --global user.password "<generated_app_pwd_here>"

So it seems that they are giving us a few extra days passed Mar 1 to fix this on our side and the warning DOES go away if you fix it right!

Thanks,

David

--- 02-Mar-2022 UPDATE ---

It's now 02-Mar and I did another test check-in and get the same message. So this message is not conditional on the date and hopefully not on the proper use of an app password.

@David Dansby - can you briefly  comment on the state of this change? Has the use of login passwords gotten extended with the pending issues people have listed here?  If we still get this message on a check-in, are we still doing something wrong or will it always show even if it's accepting the app password. 

--- 01-Mar-2022 UPDATE ---

It's now 01-Mar and after doing a test check-in, I get the same message.  I'm wondering if it's all working, but the message is still displayed in error, especially since I updated my stored password yesterday to the new app password. It would be nice to hear from the support team today ;)  Thanks, David

---------------------------------------------------

Hi!

I followed the instructions to create an app password and then updated the password in my Git Credential Manager in my RedHat Linux client by entering:

git config --global user.password "<generated_pwd_here>"

but I'm still getting the below notice when I push a change to my repository.

What else do I need to update?

Thanks,

David

remote: You are using an account password for Git over HTTPS.
remote: Beginning March 1, 2022, users are required to use app passwords
remote: for Git over HTTPS.
remote: To avoid any disruptions, change the password used in your Git client
remote: to an app password.
remote: Note, these credentials may have been automatically stored in your Git client
remote: and/or a credential manager such as Git Credential Manager (GCM).
remote: More details:
remote: https://bitbucket.org/blog/deprecating-atlassian-account-password-for-bitbucket-api-and-git-activity

That would have been nice to notify us at least a week in advance... just got an email today about that.

What about Git LFS? AFAIK, it always uses http to fetch files. It seems that it does not use any password, so the security is probably purely URL-based.

Hi!

I followed the instructions to create an app password and then updated the password in my Git Credential Manager by entering

git config --global user.password "<generated_pwd_here>"

but I'm still getting the below notice when I push a change to my repository.

What else do I need to update?

Thanks,

remote: You are using an account password for Git over HTTPS.
remote: Beginning March 1, 2022, users are required to use app passwords
remote: for Git over HTTPS.
remote: To avoid any disruptions, change the password used in your Git client
remote: to an app password.
remote: Note, these credentials may have been automatically stored in your Git client
remote: and/or a credential manager such as Git Credential Manager (GCM).
remote: More details:
remote: https://bitbucket.org/blog/deprecating-atlassian-account-password-for-bitbucket-api-and-git-activity

Simone

@David Dansby Where can I find documentation about the permissions for an app password?

How do I know what permissions I need for Git Bash?

I work with GitHub Desktop app. I love it and do not mean to change it.

I've just wrote this post on Isuees list to GitHub Desktop:

https://github.com/desktop/desktop/issues/14035

They closed it saying; not a problem from us.

Sumarizing:

• I've a BitBucket account with some personal projects created by me. Those sync on my PC and correctly managed from GitHub Desktop. They sync OK today with my BitBucket account user/pwd pair.
• But I've some sync projects on same PC where I'am a contributor (not my projects, but other fellows ones), but I've ADMIN rights on those projects.
• Those are the ones that do not sync. If I refresh, it gives me an Authentication Failed and no user/pwd possible works. I've created an APP Pwd for all user accounts, with all permision checks marked. Full rights. Used those tokens to login and nothing.
• My app password works on my projects as my Atlassian user/pwd pair do. But shared projects simply do not sync. Keep asking for credentials.

Any ideas?