Why ssh keys are “something you know” rather than “something you have”


A credential is “something you have” if it can only be compromised by physical access. Ssh keys, like passwords, can be collected by remote attackers. When attackers gain access to your client machine (your laptop or desktop computer) they can copy your private keys and install a keystroke logger to capture your passwords. While equivalent in theory, in practice an ssh key (even passwordless) is a stronger credential than a password for several reasons:

  • keys cannot be brute-force cracked … passwords often can
  • keys never leave your client computer and so can only be compromised if your client is compromised … passwords transit the network every time you login, so they are compromised if your client, the server, or the channel are compromised

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s