SSH login: Keys vs Password
Assuming a really strong password is used, are keys really more secure than passwords for SSH login?
I have always used keys because it's more convenient but I was just wondering how keys are more secure as compared to an extremely strong password (say, 24 characters long comprising of multiple symbols, uppercase+lowercase alphabets and numbers all mixed up randomly)?
Comments
The answer is inside you... but it is wrong
"How miserable life is in the abuses of power..."
F. Battiato ---
Tell me - you are using ROOT to login directly... If yes, you are safe with just a 8 char dictionary based password.
/s
Ehhh...uhhhh....hmmmm....ooohh...errrmmmm
Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
A random password of suitably long length is fine.
Definitely weaker but at some point you're arguing between 1 million years to crack vs a 100 mllion years to crack. A distinction good for internet pissing contests but not much else
The keys thing comes primarily because nobody actually uses 24 char true random. At that point you need to write it down & may as well use a key because you're basically doing a key in paper mode.
Which are you going to adopt if you get completely different opinions between here and OGF?
If you're already using keys, for whatever reason, stick with it don't go back to just passwords. It has little to do practically with entropy or a "my key's longer than your key" debate, unless you're using stupidly short passwords, keys are simply more secure in the way they work, also as an adversary you need both the key material AND its password to unlock it, rather than just shoulder surfing or keylogging a password.
Yes, vastly.
I'd say three major effects are in play: Entropy, guessability and 2FA aka Wrench Proofness
Entropy in short means how much randomness is contained. More randomness basically means a higher number of computations to guess (bruteforce) your key. The difference in entropy between an ssh key and even an unusably long password is huge. Some examples:
default 4096 bit RSA ssh key: 4096 bit of entropy lol
The 24 character password
RP8E;7-rB='a$emqz[^t6Qx,
: 148.04 bits of entropyThe 64 character password
p4@8g'5%>s;f^NnG]VYKZ*2{a[Dh$j+JVh<Z#$94mD(@MT5a.qcu/>!Aaw&3B}8e
: 417.24 bits of entropyGuessability: You probably did not choose a password of 24 completely random symbols - most likely it is based on something from your real life. This compromises your entropy HUGELY and is the basis of dictionary attacks. I cannot overstate how important this factor is. A ssh key is always based on completely random data and is thus removes this human factor completely.
2FA aka 2 Factor Authentication: If you are compromised, you are not able to give someone else access without physical access to the ssh key data.
This also covers inevitable mistakes like typing your password into the wrong window etc.
Even if someone threatens you with a wrench, they won't get into your customers servers:
A personal note: In my experience, the standard for high security corporate settings, is a 6-8 word diceware password, AND a physical 2FA token like a Yubikey.
I'm also disappointed in carlin0, localhost and AuroraZero wasting their time with sarcasm instead of making the effort to teach, or at least vocalize whatever criticism you have and stand behind your actions. Lazy and shameful.
There's also the whole process of how private and public keys work. Your private key, unlike your password, doesn't have to travel over the network.
I do not agree with this. I think my ssh
root
user with passwordtoor
is secure enoughOn a more serious note, what about those ed25519 keys? Why are people recommending them over RSA keys?
Websites have ads, I have ad-blocker.
Did you know you can change the ssh port to something other then port 22 ? That should be the first change you do before worrying about passwords and RSA keys. Most attacks are just botnets trying random IP with common list of ports. If they see port 22 is not open, they'll try some other IPs. Unless you are under a targeted attack, your main concern should be not using dictionary/default passwords with easily guessable user (such as root) on a widely known port (22). Most of the hacks do not bypass passwords but attempt a zero day vulnerability attack when a bypass is found. Changing the port to a 5 digit port is usually enough to protect your server. If you want more protection, block root access and use a firewall with your IP whitelisted. If cannot, you can also use a two factor authentication on your ssh login.
Websites have ads, I have ad-blocker.
I do use passwords like
6oZlqXfveQYLkdjGPz7MECtP
(just took this one from the generator with its "default" settings). Currently most of my passwords are about this length.Of course something like KeePass is necessary to store them.
'Random' passwords are only random when they are generated/crafted.
Once they are stored in password managers, they are just waiting to be leaked into someone's database/dictionary like other passwords.
Koofr Cloud Storage: Lifetime Subscription (1TB) for $119.99 with coupon KOOFR40 [aff link]
I always thought ed25519 was "better" (it's what I use) so I went down a very tiny rabbit hole, copy/pasta from https://goteleport.com/blog/comparing-ssh-keys/:
I also change my SSH port from 22 to whatever
shuf -i 49152-65535 -n 1
gives me and usePermitRootLogin without-password
(sometimes I need root for stuff that I've been unable to figure out using# usermod -aG sudo Lantern1368
) andPasswordAuthentication no
in my sshd_config.Diceware (using real dice) rules. It's my master password for my really really secure stuff. Yeah I wrote it down at first but once the muscle memory and brain memory kicked in and it became habit, it's in my head and nowhere else.
Privacy is a human right.
. Changing the port to a 5 digit port is usually enough to protect your server.
I deem this as security through obscurity.
Might as well keep the password "password" after that, right?
You should definitely upgrade your password to "hunter2"
Hey teamacc. You're a dick. (c) Jon Biloh, 2020.
How the hell did you know my server's root password? Now I have to change it... Think I'll change it to
password123
Websites have ads, I have ad-blocker.
No. Password managers are generally safe and you should absolutely use them. Use a long diceware passphrase. Some alternatives I trust and use are Bitwarden and KeepassXC.
(Password lists mostly come from hacked websites which didn't encrypt users passwords, or bruteforcing/dictionary-attacking weak passwords to decrypt them. All password managers encrypt your password for storage.)
Yeah . Diceware is cool because it has high entropy, but in a way that is easy for humans to remember. Security People™ consider diceware to be more secure than a "random symbols" password, because you can actually memorize it - and thus don't leave password notes laying around
This is a very good tactic but absolutely not enough.
This is good advice I suggest using reliable bastion hosts for this purpose - machines with static IP that you
ssh -J bastion-host my-server
each time. Note that SSH keys are still on your personal computer - the bastion is just an SSH proxy basically.Yeah - TIL that the server you SSH to can read your password in plain text. That means that just SSHing to the wrong machine, means you have compromised your password. Super easy mistake - and security is about removing possible compromising mistakes.
Back to the OP topic: There is plenty of good advice in this thread But the benefit of an SSH key is that it is so extremely robust and trusted, that you can basically just setup a SSH key login, disable password login, and then be done.
Careful, apps like Bitwarden and KeypassXC are 100% safe.
There have been instances where there existed features/bugs allowing for retrieving stored passwords without knowing the masterpassword. (Example: Bitwarden Windows Client last year, masterpassword bypass if someone knew your windows password or something, exploiting the biometrics feature even if it was disabled).
Every app is vulnerable. It's just a matter of time before someone finds holes in them. Or they add one alongside a new feature (be it unintentional or intentional). After the damage is done, your least problem will be finding the developers and arguing with them.
Always use 2FA and on a sperate device. Protects you from any online threat. For physical protection your only option is to hire enough bodyguards you can fully trust. To prevent someone from raiding your house and forcing you to hand out everything.
Me personally I still use Bitwarden, (Vaultwarden, via VPN, login only via YubiKey) + TOTP on a second phone.
My 5 char password never get hacked in the past 12 years or maybe 15 years.
Why would you make everything complicated, maybe you are the one who will be locked by your safety box.
https://microlxc.net/
Isn't a key just a longer random password?
/s
Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png
This is exactly why I get totally furious when I see people get the message "Warning: Remote Host Identification Has Changed" and simply continue connecting.
This is also why I have made it a habit to connect to ip or only use DNS servers I trust, since DNS is pretty easy to hijack.
No, but this is a common misconception. If you are using passwords the server must know your password (or a hash thereof) to be able to authenticate you. This means that if the server is compromised so is your password. As linked above, there are ways to get the password in plain text if you control the server.
When using keys your private key never leaves the client and the server does not have it nor need it. Data encrypted with your public key (which is the key the server have) can only be read by you, the owner of the private key.
It is two very different ways of authentication, it is not just a long password saved in a file.
https://www.urbandictionary.com/define.php?term=/S
Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png
Thanks for taking the time to explain the difference, despite the opening clearly marked as sarcasm, for the benefit of the thread starter and future readers of this thread!
Currentmonthcurrentyear that's the password if you force people change their password every month. 😆
If you can, force them use key.
In many cases it's okay to use a strong password for your own logins if you know what you're doing. It's secure enough if you are ready to wipe your server when it's hacked. If you don't want to wipe your server never, then use key.
Filen.io - use this link to signup and we both get extra 10GB free.
https://filen.io/r/4d472d5cdb57f6663621a251065e0b51
Sorry, completely missed that and did not know about the /s switch. You learn something new every day, thanks.
Hopefully my explanation was useful for someone else.
So people now a days require to be told that something is sarcasm? Just 15 years back, people would know how to properly use sarcasm and you dont have to tell/flag it so both you and the reader knows it is sarcasm.
Example:
Websites have ads, I have ad-blocker.
I missed it too. This is why I always do it like a proper tag with an open and close around the statement. :P
And the recent xz backdoor affecting SSH shows that my advice was flawed, and security is never as simple as a single step
The Onion fuming af at this comment right now.
Web Development & SysAdmin services
LOL! I guess people are getting dumber just as devices are getting smarter. AI takeover wont be far off now!
Websites have ads, I have ad-blocker.