Hacker News new | past | comments | ask | show | jobs | submit login

> Sucks that Github and some other things force SSH keys which are just passwords except always saved to your disk so that anyone who steals your laptop gets access.

This is the reason to encrypt ssh private keys with a passphrase. If the key is leaked it's still protected by the password.

It's a built-in feature of ssh. For an existing key downloaded from a cloud provider, use ssh-keygen -p to add/change the passphrase.




How hard is it to crack these passwords? Since it's local (unlike the github password) I guess you can run brute force attacks etc at full speed ?


Yes it's local, but also can be taken away to run on a cluster. Looks like ssh-keygen is using 16 rounds of bcrypt_pbkdf. My laptop just took 185ms to try a password. So I guess I could run less than 10 passwords per second (per core?).

I don't keep an ssh key on disk though. I use my gpg key on my hardware security token, which gives you 3 attempts before you have to unblock it with a separate management password, which again you get 3 attempts at before the key is entirely locked.


The longer the better. A memorable sentence is a good place to start.

ssh-agent will cache the passphrase in memory, which helps avoid needing to type in a long phrase repeatedly.

But it's worth saying that if any private key is leaked (passphrase or not), it's time to revoke it and generate a new one.

Having a passphrase in place raises the bar from "key leaked, 3rd party has access to everything" to "key leaked, 3rd party has to now attempt to crack the passphrase". It mitigates a very bad scenario and buys time.


Pass phrase not password. You are going for length to protect from brute force.

Soylent Green is NOT people

Was one of my shorter pass phrases


I'm sceptical about the entropy of easy to remember pass phrases, including negations and simple capitalizations. Even when going for something like "correct horse battery staple", which requires a memorization technique to remember, the space of words we are realistically drawing from when prompted by a shell is probably not that large.


That’s what diceware is for: https://theworld.com/~reinhold/diceware.html


How many times a day did you typ that wrong!


That's going to depend on the length of your password. Longer is more entropy and orders of magnitude more difficult to 'brute force' with each character added.


Yes. This is precisely why passphrases are a bad idea - people tend to use their easy-to-remember default password, which gets compromised along the way if an attacker can get their hands on the key file and throw their full processing power at it.

SSH certificates are a solution to that problem.


What mechanism is used to protect the key of the certificate authority?


That’s a different situation - the CA key resides on some high security server, not a developer laptop that may get stolen or compromised by ordinary usage.


sure, but that's why you're using a password manager that lets you generate 24 character mixed everything random passwords and use them easily, right? Right? Guys?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: