> Who uses password encrypted keys anyway ?

Edit: I'm not suggesting an ssh key with a passphrase (or password) is better than what the article suggests; I'm only saying that adding a passphrase (or password) to an ssh key at least buys time to address the situation while the attacker is trying to break the encryption on the stolen key.

I am anti-Mac in every way, but I do use passphrase protected ssh keys so if someone were to get a copy of my ssh key, they would have to be able to break the encryption to use the key. I see a lot of devs using blank passphrases on their ssh keys, smh.

> sitting duck for unlimited automated password guessing attempts.

Using a passphrase on your ssh key has nothing to do with whether the ssh service is configured to allow or deny passwords.

▲

lloeki an hour ago | parent | next [-]

> whether the ssh service is configured to allow or deny passwords.

Given the consistent use of "password" instead of "passphrase", I think they meant an exfil'ed encrypted key is vulnerable to no-rate-limit bruteforcing, in contrast with hardware-backed keys.

▲

newsoftheday an hour ago | parent [-]

Right, but my context is that devs often use no passsphrase at all. If someone can get a copy, they have instant access to whatever it has access to. They don't need to even break encryption since the key has none if none has been applied. My stance is simply, at least add a passphrase to the key (though some call it a password).

	▲	lloeki an hour ago \| parent [-]
		gotcha, thanks for clarifying!

▲

Xylakant an hour ago | parent | prev [-]

The parent means that an attacker has unlimited attempts at breaking the passphrase on an exfiltrated key. Once the key passphrase is broken, they can log in using the key.

	▲	newsoftheday an hour ago \| parent [-]
		Right, but my context is that devs often use no passsphrase at all. If someone can get a copy, they have instant access to whatever it has access to.