George: > On 5/6/11, Jochen Schulz <m...@well-adjusted.de> wrote: > >> You can authenticate to an OpenSSH server using a password, or using a >> keyfile. On the client side, simply run 'ssh-keygen' to create a >> keypair. > > So the attacker needs to guess my private key instead of my password.
Exactly. > How does that make his life more difficult, assuming my password was > very strong? A keyfile is longer and contains more entropy. I doubt your is using a password with 1024 bits of entropy, let alone 2048 or 4096. Even for only 1024 bits of entropy you would need a passphrase of 128 characters to match a keyfile's strength. And that's only if you assume your password has an entropy of 8 bits per character, which probably isn't the case (see here: http://en.wikipedia.org/wiki/Password_strength#Random_passwords and the table below that). If an attacker has access to your passphrase-protected private key file, security is of course reduced to your passphrase's strength, which puts you into almost the same situation as with a login without a keyfile. J. -- I spend money without thinking on products and clothes that I believe will enhance my social standing. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html>
signature.asc
Description: Digital signature
