[Discuss] deadmanish login?
Kent Borg
kentborg at borg.org
Tue Jan 31 07:54:59 EST 2017
On 01/30/2017 08:46 PM, Dan Ritter wrote:
> First off, you should be using ssh keys and not passwords.
No, you should be using passwords not keys. (In most cases.)
Protect your password, don't give it to anyone, don't recycle it on
different sites. A good password can be easy to remember and easy to
type. As bad as manually typed passwords are the sparkly alternatives
are almost always worse.
The oh-so-terribly-secure ssh keys everyone likes also need to be
protected, but they are much harder to protect. They need to be
encrypted and an encryption key "password" is *very* different from a
password password.
If your ATM card is like mine it has a 4-digit PIN and that is good
enough. But a 4-digit encryption key would never be good enough: That's
how different a password is from an encryption key. A good encryption
key passphrase is very difficult to remember and very difficult to type.
A decent ssh password is good enough--it will sustain a brute force
attack that lasts as long as you are likely to be alive. Using ssh keys
increases the attack surface. And that ssh key will be at rest, in how
many places? And what about the passphrase on your ssh key? Do you even
know how many bits of entropy it has?
-kb, the Kent who also rejects dogma about changing passwords every few
weeks, rejects dogma about never writing down passwords, rejects dogma
about not putting dictionary words in passwords, rejects
brand-spanking-new dogma recommending everyone use the first and most
automated password manager that catches their eye, etc.
More information about the Discuss
mailing list