With ssh, over 90% of the vulnerabilities are abusing the password mechanism. If you setup pre-shared keys, you are preventing the most common abuses, including in the realm of zero days.
The idea behind keys is always, that keys can be rotated. Vast majority of websites to that, you send the password once, then you get a rotating token for auth.
Most people don’t do that, but you can sign ssh keys with pki and use that as auth.
Cryptographically speaking, getting your PW onto a system means you have to copy the hash over. Hashing is not encryption. With keys, you are copying over the public key, which is not secret. Especially managing many SSH keys, you can just store them in a repo no problem, really shouldn’t do that with password hashes.
Never understood this
I don’t think that anyone or anything, computer or mentalist, will guess my 40+ characters long password
With ssh, over 90% of the vulnerabilities are abusing the password mechanism. If you setup pre-shared keys, you are preventing the most common abuses, including in the realm of zero days.
Oh I see, ty !
Are you setting and managing other’s passwords?
Especially paired with Fail2Ban preventing any brute force attempts.
But with a WireGuard setup, you need not have the port exposed at all.
The idea behind keys is always, that keys can be rotated. Vast majority of websites to that, you send the password once, then you get a rotating token for auth.
Most people don’t do that, but you can sign ssh keys with pki and use that as auth.
Cryptographically speaking, getting your PW onto a system means you have to copy the hash over. Hashing is not encryption. With keys, you are copying over the public key, which is not secret. Especially managing many SSH keys, you can just store them in a repo no problem, really shouldn’t do that with password hashes.