Security-aware people: How risky/bad is it to publish an SSH private key that has a very long/secure passphrase?
-
-
I could’ve phrased that better. What I meant: this scenario is similar to having a password + 2FA as additional protection. When the password leaks, you wouldn’t continue using it “because 2FA protects me anyhow”, right?
-
The leaked private key situation is the same, except the private key is the main thing you’re protecting, and the passphrase is the additional defense.
- 1 more reply
New conversation -
-
-
Low effort, high impact, Simeon. Well done.
End of conversation
New conversation -
-
That's a good way to think of it: A private key with passphrase is 2-factor authentication. You need a copy of the key file, and you need to know the passphrase. Sharing the key knocks you down to ordinary password security.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Yes, two levels of security are obviously stronger than one level of security. I would think that the main point of this thread was "did we simply downgraded the auth to the password scheme" (which might be still sufficient to some), or "is the leaked PK worse than plain PW".
-
As in, "in theory, a leaked PK allows for some elaborate attack where you do not need the full passphrase", so having only the password auth is actually better than the leaked PK.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.