/ whiteweb.security _
whiteweb.security / guides / .netrc exposed
.netrc Critical severity ~4 min read

My .netrc file got exposed. What should I do?

The .netrc file is a Unix credential store that many tools — curl, wget, Git, FTP clients — use for automatic authentication. It stores hostnames with their corresponding usernames and passwords in plain text. An exposed .netrc gives an attacker immediate, authenticated access to every service listed in it.

Change every password in the file right now — they are in plain text and fully usable.

Unlike password hashes, .netrc passwords require no cracking. Anyone who read the file can authenticate immediately to every service listed. Treat this as an active breach for each listed service.

// the 60-second version

  • Read the file and list every machine + login entry.
  • Change the password on every listed service immediately.
  • Remove the .netrc file from the web-accessible directory.
  • Switch to SSH key authentication wherever possible.

01Understand what .netrc stores

The .netrc format is simple: each entry names a host, a login username, and a password:

typical .netrc contents.netrc
machine ftp.example.com login deployuser password s3cr3tpassword machine api.github.com login myusername password ghp_xxxxxxxxxxxxxxxxxxxx default login anonymous password anonymous

Every machine block represents a service where these credentials will be used automatically. The default block applies to any host not explicitly listed.

Git uses .netrc for HTTPS authentication. If your .netrc contains GitHub, GitLab, or Bitbucket credentials, an attacker can clone your private repositories, push malicious commits, or modify repository settings — with no further effort.

02Identify every service listed

Open the file and catalogue every machine entry. For each one, identify: what service it connects to, what level of access the credentials provide, and where you change the password.

extract all machine entriesbash
# list all hostnames and usernames (not passwords) grep -E "^(machine|login)" .netrc

03Change every password immediately

For each service in the file:

  • GitHub / GitLab / Bitbucket — go to Settings > Developer Settings > Personal Access Tokens and revoke the old token. Generate a new one with minimum required scopes.
  • FTP / SFTP servers — change the password via your hosting control panel or with passwd on the server directly.
  • Other web services — use the service's password change or API key rotation flow. Most have this under Account Settings > Security.

04Remove the file from the web root

The .netrc file belongs in the home directory of the user that needs it, never in a web-accessible location. Move it and add a deny rule as a belt-and-suspenders measure:

nginx — deny .netrc/etc/nginx/sites-enabled/…
location ~ /\.netrc$ { deny all; return 404; }

05Switch to SSH keys for future authentication

Password-based authentication stored in files is a fragile pattern. Where possible, replace .netrc with SSH key authentication:

generate a new SSH key for Git/SFTP usebash
# generate a new ED25519 key ssh-keygen -t ed25519 -C "deploy@yourdomain.com" -f ~/.ssh/id_deploy # add the public key to the remote service cat ~/.ssh/id_deploy.pub # → paste this into GitHub/GitLab SSH keys settings

Once SSH authentication is working, you can delete the .netrc entries for those services entirely.

Was this guide useful?

These playbooks are free to read and share. If a heads-up ever saved you a bad week, you can say thanks — or jump into the other guides.

More guides Buy me a coffee ☕

// related guides

.git/config
My .git/config got exposed. What should I do?
 id_rsa
My SSH private key got exposed. What should I do?