Hub needs access to the GitHub API for most of its operations and for that, a one-time username/password exchange is required. This is separate from the authentication git does for cloning.

Technically, information about public repos is available through the API even _without_ authentication, but at this point hub doesn't know yet whether the rspec/rspec-core repo is public or private. Because it _might_ be private, hub asks for credentials preemptively.

The prompt says password is never stored. The most obvious explanation is the application asks for a password every time, which as you might imagine is rather annoying when trying to clone a public repo.

If hub indeed needs the password one time to set up some state it could perhaps communicate that.

Fair point. Ideas outlined in #225 will improve this messaging.

225 has been open for 6 years with not much (none at all?) progress made to date. Improving existent messages to explain that the password needs to be entered one time and it's a password for the API not git (since I would expect hub to clone via ssh with configured keys) would improve usability of hub for new users.

I agree with @p-mongo! I've been trying to figure out what the authentication was for since I was cloning a public repo. Thank you for this clarification; I think it would definitely help new users if this was stated somewhere