Create a Bitbucket App Password example

Steps to generate a Bitbucket App Password

To avoid a fatal invalid credentials or authentication failed Bitbucket error on login, you must use a Bitbucket App password as part of your Git authentication process.

Log into your online account, and follow these steps to create a Bitbucket App Password:

1. Click your account’s profile picture in the top right-corner of the Bitbucket webpage.
2. Click the Personal Settings link in the dropdown menu.
3. Select the link on the left labeled App passwords. It is under the Access management heading.
4. Click the blue Create App Password for Bitbucket button.
5. Provide the Bitbucket App Password a label (name) and set the access permission scopes.
6. Click Create to generate the Bitbucket App Passwords and copy the access token’s value.
7. Use the App Password when you log in to avoid fatal authentication credentials failed errors.

Why is a Bitbucket App Password required?

All of the cloud-based version control tools, including GitHub and GitLab, are tightening their security controls.

If a high-profile client’s source code were to be compromised by a weak password or careless security practices, the version control vendor would end up with egg on its face, even if the credentials breach was no fault of its own.

To protect their reputations, and the reputations of their clients, distributed version control system vendors such as GitHub and Bitbucket now require generated app passwords or personal access tokens for push, pull and clone operations.

You can create a Bitbucket App Password in just a few simple steps.

How is an app password or token beneficial?

When a user authenticates against GitHub or Bitbucket with a regular account password, they have full access to every resource the service provides. That’s a clear violation of the principle of least privilege which is the bedrock of all enterprise security best practices.

One of the key benefits to the Bitbucket App Password or the GitHub Access Token is that a user can receive administrative access to Git repositories, but have no rights at all to scripted pipelines, pull requests, webhooks or user account administration.

When you create a Bitbucket app token, you can configure fine-grain levels of security.

Bitbucket access token security

Another benefit is the ability to disable a previously created Bitbucket App Password if an employee leaves the company. Bitbucket App Passwords can be disabled and deleted on a per-user basis. This isn’t possible if a user is given root account access.

As another benefit, the generated Bitbucket App Password is highly random and will not be guessed through a dictionary attack. Its entropy is also high enough to make a brute force attack on the password unlikely to succeed as well.

What levels of security can I apply to Bitbucket App Passwords?

The Bitbucket App Password provides security scope over the following services and features:

• Account
• Workspace membership
• Projects
• Repositories
• Pull requests
• Issues
• Wikis
• Snippets
• Webhooks
• Pipelines
• Runners

Levels of access can be configured according to the following permissions:

• Read
• Write
• Delete
• Admin
• Edit (for pipeline variables)
• Email (for accounts)

How do I use an App Password in Bitbucket?

The Bitbucket App Password replaces your account password for Git operations.

So to perform a Git clone, push, pull or fetch operation with Bitbucket, you must provide the App Password instead of the account password you may  traditionally use.

If you do not provide an App Password with Bitbucket clone or push operation, you encounter the following password support removed error message:

$ git push
fatal: Invalid credentials
remote: Bitbucket Cloud recently stopped supporting account passwords for Git push authentication.
remote: See our community post for more details
remote: To push or clone repos Bitbucket app passwords are needed
remote: Bitbucket app passwords are recommended for most use cases and can be created in your Personal settings
fatal: Authentication failed for Bitbucket push

How do I get my Bitbucket App Password if it’s lost?

The Bitbucket App Password is only displayed at the time it is generated.

If the password is lost, it cannot be retrieved or even regenerated. An Atlassian administrator must create a new Bitbucket App Password for you.

Once created, Bitbucket App Passwords cannot be retrieved or regenerated. A new token must be created.

How do I push or clone with a Bitbucket App Password?

The first time you clone a repository you are prompted to provide your Bitbucket username and password. Provide your account name as the username, and type the Bitbucket App password into the password field.

After the authentication completes, the git clone operation proceeds. Every subsequent time you pull or push, the Bitbucket App Password is automatically sent to the Atlassian server, so you do not need to repeatedly enter the access token’s value.

DevOps, security and Bitbucket App Password generation

The source code repository is the foundational layer of the DevOps stack. It makes sense for vendors like Bitbucket to further secure this space, and eliminate standard password support for Git and enforce the creation of App Passwords and personal tokens for access.