Timeline for SSH password vs. key authentication
Current License: CC BY-SA 3.0
7 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| S Feb 5, 2018 at 17:27 | history | suggested | Michael come lately | CC BY-SA 3.0 |
Grammar improvements.
|
| Feb 5, 2018 at 14:55 | review | Suggested edits | |||
| S Feb 5, 2018 at 17:27 | |||||
| May 12, 2015 at 17:11 | comment | added | Tek Tengu | You obviously didn't get the analogy... This is why security practitioners get the hairy eyeball from the rest of the world. While in a purely technical sense certificates are much stronger than passwords, badly implemented certificates are more swift/silent/deadly than passwords. How many organizations implement them perfectly, oh right, with the recent onslaught of hacks against them, not many. | |
| May 12, 2015 at 13:10 | comment | added | sleblanc | Please, do not promote using passwords instead of keys. You can enforce key rotation. And keys should be locked down with passphrases in any case. A key is like a 2048-bit password protected by another password (the passphrase). What stops your vitriolic wife from installing snooping software (keylogger) on your son's phone, easily retrieving the 4-number combination? | |
| Aug 14, 2014 at 14:03 | comment | added | JDS | I like this analogy. However, it isn't perfect. In a managed key situation, I think keypair auth would be more secure. By "managed" I mean, the user has no control over his authorized_keys file -- that file is overwritten by a config management system, managed by a central sysadmin team. if the user loses his key, the sysadmin changes the authorized_keys in much the same way as he would change the user's password. Thus you get the security benefits of PK auth PLUS the flexibility described in this analogy | |
| Apr 2, 2013 at 8:53 | vote | accept | Jan Hudec | ||
| Mar 29, 2013 at 15:21 | history | answered | Tek Tengu | CC BY-SA 3.0 |