Password auth. vs. Key auth. for SSH
Hi!
I have a server running Ubuntu Server 12.04.03 LTS, and it currently has keyfile-only authentication. However, I was thinking about setting it back to a password login, mainly for convenience. I am the only user of the server. Also, it does not listen of port 22. Is password login a big no-no, or is it safe if there is a long enough password? What should a good password look like? Thanks for your time! |
security
security is a difficult thing to give advice on...
it really comes down to comforts and preferences you say you want to go back to passwords for convenience sake but for some the keyfile may be more convenient, you are free from keeping track and memorising many different passwords for many different services, also good passwords should be difficult to memorise which leads to your second question of what a good password looks like, well a good password, again is about your interests if you are the only one on this server and your work is pretty anonymous then a password for you may just be about detering superficial shenanigans and so a good password would be one you can easily remember if you are talking about high security password then you would want to go with something that looks like the output of a hash function: c0e81794384491... numbers and letters seemingly randomised if you use common words the attacker can use a dictionary attack but if an attacker wants to guess your password and you have a password like this then the attacker would have to guess every possible combination of letters, 26 a-z, and numbers, 10 0-9 at 36 possible characters for each character of the password string you can calculate the number of guesses by taking 36**(PASS_LEN) 36**4 = 1679616 36**5 = 60466176 36**6 = 2176782336 possible combinations that escalates quickly.. obviously more guesses required the more secure the pass phrase will be, so i'd suggest a minimum of 6 characters |
Hi,
Quote:
Quote:
Quote:
Quote:
I suggest you stick with what key based authentication. Protect your keys with a strong passphrases and if you need to, carry them with you on a usb stick. Evo2. |
Thanks!
I'll take your advice and keep the password authentication. Sorry if this was a overly "newbie" question. Regardless of what it says to the left of this post, I'm still pretty new to this. |
solved?
great, it's a fine question to ask for clarification between different security measures
if you're decided could you mark the thread as solved? |
Marked as solved. Thanks!
|
Quote:
|
The strength of a key, versus a password, is that it is unique and non-forgeable. Therefore, you can issue access to individual people and revoke it to individual people. The (private) key, itself, should of course be encrypted. But, even if the equipment upon which the key was stolen and the owner forced to divulge the password (ouch!), you can still individually deny access by that key.
|
All times are GMT -5. The time now is 08:07 AM. |