DEV Community

Sloan
Sloan

Posted on

Should I have separate GitHub accounts for personal and professional projects?

This is an anonymous post sent in by a member who does not want their name disclosed. Please be thoughtful with your responses, as these are usually tough posts to write. Email sloan@dev.to if you'd like to leave an anonymous comment or if you want to ask your own anonymous question.


I was just wondering what I should do - I've been using GitHub for around 2 years now, and I don't know if I should create a separate account for purely professional projects. Then, I'd still be able to keep my personal GitHub for anything I'd like to contribute to. Would that be helpful or redundant? I'd love to know some pros and cons.

Discussion (31)

Collapse
tmlr profile image
Tony Miller

Yes. Same goes for Trello and bunch of other stuff. GitHub and other tools allow enterprises overtake your accounts because they might have access to corp info. So if you don't want your account to go towards your ex-employer, you should keep those separate. I don't know why they don't warn you about it when you sign up.

Collapse
artdevgame profile image
Mike Holloway

I didn't know about the GitHub control thing so I tried to read more about it, but couldn't find much in the way of what conditions allows an organisation to take control of a personal account - have you got a link you can share?

I imagine if the org has control of the email address, that's how they do it, but if the user has control of it - its not possible?

Anyway, I did find a link that tells you best practices when leaving an organisation in terms of what to do with your account: docs.github.com/en/account-and-pro...

Collapse
eckdaniel profile image
Danny Eck

Previous job was consulting at a Big5 and I used to create a new account per project. After 10+ profiles this was unwieldy.

Now I manage everything through my personal account with PATs and email associations. New projects or forks are owned by the org if they are work-related. I use different gpg signing keys for work vs personal.

Dubious that GitHub would/could allow "overtaking" a personal account by an enterprise customer. At worst, I imagine the enterprise can invalidate the PAT grant and boot you from the org, but your personal account does not suddenly belong to them.

When you leave an organization or project, you should definitely disassociate email in your personal account settings. Same as the org does decommissioning your email account when you leave.

Collapse
jamesliudotcc profile image
James Liu

Regardless of whether Github's TOS allows a company to take control of your account, the company can still sue you for having their property in your account. Even if you clean up and remove yourself from all access, if they are mad at you they can still sue you. If you are right, you get to explain yourself in a fancy, expensive room.

They can also sue Github. And remember Github will do what a court orders them to do.

This is not legal advice. I am not a not licensed to practice law anywhere (anymore). This is more ... life advice to the effect of: avoid situations where you need legal advice.

Collapse
tmlr profile image
Tony Miller • Edited on

Hello, Mike! Here's a comment on Hackernews about GitHub in a thread about Trello: news.ycombinator.com/item?id=22874508

This where I got my "GitHub too" info from.

Thread Thread
ferricoxide profile image
Thomas H Jones II

That "GitHub too" thread is pretty light on details. Not really seeing anything that provides any indication of the actual risk-scenario. Is there any other place you've seen mention of an enterprise getting GitHub to hijack (or neuter) an account – especially an account whose primary address (etc.) was outside the company's control?

Thread Thread
marksre profile image
Mark Bainter

Yeah, that doesn't make any sense with anything in the GitHub organization features of today. Maybe there was something broken in it's early days that made this possible?

Or maybe there's a lot more to this story that he's not telling us.

Collapse
marksre profile image
Mark Bainter

As someone who runs a GitHub org I assure you this is not the case for anything up to enterprise. I can only invite you or uninvite you from the organization. I have zero control over your personal account and I have no ability to take it over.

I haven't used the enterprise option - but i have looked into it. As I understand it, at that level they essentially have their own GitHub implementation and thus their own user space separate from GitHub proper. They create your account like they would any other service, so I don't think this would even be a question in that scenario.

Collapse
tmlr profile image
Tony Miller

Good to hear, probably the whole thing was improved since then.

Collapse
bradtaniguchi profile image
Brad

There shouldn't be much difference between your personal and "professional" projects.

If your talking about a work account, things are different. Jobs could give you your own account they manage. Or they could just have you use your own personal one.

Another thing to consider is switching GitHub accounts on the same machine can be a pain, so using the same one on the same machine should be the goal.

Collapse
ianturton profile image
Ian Turton

I want to clearly de-mark between the work I do for my employer and the work I do in my own time on my own projects. I've had employers in the past that claim to own anything I do it their "time" or with their "resources" so this distinction is important to make.

Collapse
ferricoxide profile image
Thomas H Jones II

On the plus side, your commit history makes it pretty easy to prove the necessary demarcation (especially if you've set up your profile with multiple email addresses and associated signing-keys).

Collapse
michaelmior profile image
Michael Mior

I suppose it depends on what you're trying to prove to who. Commit timestamps can be set to any time you want. The fact that you commit with a different email address doesn't really mean much either since you could easily commit using work time and resources with a personal address.

Collapse
jmau111 profile image
jmau111

I usually don't like peremptory assertions, but here I would say definitely yes. There are security risks too:

  • you may disclose confidential information publicly
  • you might leak credentials

If something bad happens to you, it's uncool but it's only you, but if you mess up with your customers/employers, it's a different case.

More generally, it's better not to put all your eggs in one basket, and if you find it a bit overkill or inconvenient, use a password manager.

Collapse
marksre profile image
Mark Bainter

I don't understand the risk you're envisioning here. Can you elaborate?

We shouldn't be any more careless with our personal GitHub than our work one, so what are we talking about here?

Collapse
michaelmior profile image
Michael Mior

Unfortunately a password manager doesn't really solve much of the inconvenience of needing to log out, log back in, and use 2FA again.

Collapse
jmau111 profile image
jmau111

some password managers do integrate 2fa

Thread Thread
michaelmior profile image
Michael Mior

Yes, some do. But it's still another step to do in order to switch accounts rather than just use the same account.

Thread Thread
jmau111 profile image
jmau111

convenience should not prevail over security, to me.

Thread Thread
michaelmior profile image
Michael Mior

I generally agree. Although security and convenience is almost always a tradeoff. You need to weigh the possible security risks against the inconvenience. For me, I don't see the security risk as significant enough to warrant the inconvenience. For someone else, that decision might be different.

Collapse
theaccordance profile image
Joe Mainwaring • Edited on

I am the owner of 4 GitHub Orgs with plans ranging from Free to Enterprise, IMO there is only one reason I would ever have separate Personal and Work accounts, and that’s if I wanted to conceal my personal activities from my coworkers.

Outside of that reason, there’s no value and you’re just complicating things for yourself. Your account does not become company property by joining an org, I simply remove you from the org when you’re offboarded.

Collapse
avinal profile image
Avinal Kumar

IMO if it is really needed or the organisation is closed source you should consider creating a different account for that.

For all other tasks and and open source organizations you can use your personal account without any worries just add your professional email id and use them for signing off whenever you are putting anything to professional projects.

Collapse
kiliman profile image
Kiliman

I use separate accounts for my personal and work emails. I manage them by creating separate Chrome profiles, so I can access the correct GitHub account from the browser.

I also use GitKraken which supports multiple profiles.

Overall, this works pretty well for me.

Collapse
adamdsherman profile image
AdamDSherman

Most projects you work on in a professional environment will be owned by the company or team so that will be separate to your profile.

Otherwise I see no need to keep your own professional work separate from your other stuff, other than maybe keeping things organised if you have many repos.

Collapse
drsensor profile image
drsensor • Edited on

This works on social media accounts but for dev account I highly suggest don't do that. Just make it to not display your contribution history in any private repo. You can set this in the Settings menu.

If you just want to not clutter your Github account with many repos (to make searching easier), you can use other git service. I've been using sr.ht for dumping my prototype, example, reproduce-bug repos.

Collapse
scanepa profile image
Stefano Canepa

I use one account with different emails, access tokens, and ssh keys. I have GPG only linked to my personal emails, and I see more issues maintaining multiple accounts.
I would suggest checking your contract and labour laws. There may be a clause stating your employer owns the copyright for all the software you create, even the one you develop in your free time. If this is true for you, having a separate account does not make any difference. I'm a software engineer, so please check with your company's legal or open-source program office.

Collapse
andrewbaisden profile image
Andrew Baisden

Possibly but you could also make professional account private if you did not want to share the codebase.

Collapse
ferricoxide profile image
Thomas H Jones II • Edited on

I use one account but associate work and private emails – and signing-keys – to the account. If a project wants commits with "their" email address (or signing-key), I configure my git client to do The Right Thing™ ...I think I even posted an article to dev.to +a year or so ago) about how to set it up my client so it's painless (projects in my local repos' "work" and "personal" directory trees use the correct commit info).

I mean, my employer is a consulting company. We service many distinct customers. That makes it necessary for me to need to contribute to their projects in a way that requires distinct attribution. But, I didn't want a bajillion profiles, so, the multiple emails and keys option was how to make it all manageable (and let me keep a consolidated activity dashboard and not have to configure/manage multiple, 2FA-enabled accounts).

Collapse
nombrekeff profile image
Keff • Edited on

I don't know if there's a better or worse approach. I personally have it all in the same account because I'm too lazy to switch accounts xD I think it's personal preference

Collapse
diek profile image
diek

As other said, I think one profile is good enough, keep it simple.

Collapse
garretharp profile image
Garret

Way easier to use one account imo, unless you use a completely different computer for work but I use my personal since I work from home