I have written once about the problems of authentication to web services. This post promotes one of things used to authenticate users logging to their remote computers by SSH – public key authentication.
Several years ago I logged in to my server using a typical password. The password consisted of about thirty characters, easy to remember by me, probably difficult to guess by others. I entered the password each time when I logged in.
Now I use public key authentication. My local computers store a large, random RSA private key, encrypted using a passphrase, while the remote ones store the public key. SSH clients access the private key and authenticate without sharing it.
There were two problems with the password authentication – usability and security. I don’t like to type long, difficult to guess strings of ASCII characters often, so I use ssh-agent to store the unencrypted private key in temporary memory, entering the passphrase only once per reboot.
Passwords have many security problems. A list of four such problems by Jeff Atwood shows that attackers usually guess passwords, possibly with a large number number of tries in a dictionary attack, or get them when they are transferred. The first case is clearly improbable with a large random (in OpenSSH by default 2048 bits), the second one is impossible since the private key is not transferred.
Public key authentication is another example showing that one change may make a system both more secure and more friendly to the user.
