Security of ssh across a LAN, public key versus password

openssh at tr.id.au openssh at tr.id.au
Tue Oct 22 07:49:16 AEDT 2024


Hi Chris,

> I use several password 'bases' (and try and invent new ones every so
> often) so at one time will have more than one 'family' of passwords in
> use.
> ...
> Not for passwords, I remember all the ones I use a lot.
> ...
> Probably/possibly, when I decide which method I'm going to use there
> will only be one of the other, but fundamentally they're going to be
> similar as I'll use the same methods to generate and remember them.
> ...
> No passwords stored anywhere except in my head.

You do you, but since you have asked about improving security, I hope you understand that memorizing passwords instead of using a password store is not considered a good practice.

Humans are notoriously bad at doing randomization in their head; and if your passwords *aren't* random then it would only take revealing one or two of them for an attacker to begin guessing good patterns to try. I don't recall the citation, but I do remember seeing some articles about how people were hacked because someone guessed their new password based on a pattern of old passwords. Humans are just bad at this, there's no way around, and if you were to claim that you're special, I'd be pressed to claim that you're wrong ;)

I suggest have a look at https://www.passwordstore.org/. It would only require setting up a gpg key and then you can have it automatically generate completely random passwords whenever you want, which can then be easily retrieved into your clipboard.

This is the password store I use to hold the passphrases for my non-sk ssh private keys. For me, the password store's gpg key is also backed by yubikey, but even without hardware 2FA, it's still a long way better than having some ad hoc algorithm which could be reverse-engineered by an attacker to guess my next password.

It's possible with this password store to use multiple public gpg keys to do the encryption, so you can have a separate private key per device (eg laptop vs workstation), and you can use Git to sync the encrypted blobs between machines.

~ Tim



More information about the openssh-unix-dev mailing list