| ▲ | lloeki an hour ago | |||||||
> whether the ssh service is configured to allow or deny passwords. Given the consistent use of "password" instead of "passphrase", I think they meant an exfil'ed encrypted key is vulnerable to no-rate-limit bruteforcing, in contrast with hardware-backed keys. | ||||||||
| ▲ | newsoftheday an hour ago | parent [-] | |||||||
Right, but my context is that devs often use no passsphrase at all. If someone can get a copy, they have instant access to whatever it has access to. They don't need to even break encryption since the key has none if none has been applied. My stance is simply, at least add a passphrase to the key (though some call it a password). | ||||||||
| ||||||||