Hacker News new | past | comments | ask | show | jobs | submit login

I use a handful of keys. Thing is, your secret is never shared with the server. Just the public key bits. Passwords are stored (hashed) on the services. Totally different threat models. With your public key the biggest risk is someone tracking what you are up to if they compromised multiple services/servers you use.



Not really. Do you think the ssh client machine is easier to secure than the ssh server? (It isn't.)


It objectively is since I never transmit the private key bits to the server. Passwords usually require the whole secret be blasted about the Internet (albeit encapsulated in TLS, usually).


Hint, the server won't be the hostile party stealing your keys here. Neither will be your ISP.


Why be obtuse? Are you talking about compromising the client machine? In which case, you’ve already lost all your keys, and you’re relying on their passphrases being set.


I'm saying private keys are not more secure by default. If your development machine is compromised (which is really easy to do, BTW) they'll steal your keys and probably will have root on your servers and access to your github accounts.

Stealing passwords is much harder in comparison.


As an attacker, maybe true depending on your target. As a user I have had my passwords compromised many times. My SSH keys never have and I don’t know of any prominent evidence this happens much at all. I have been doing reversing, netsec, and appsec for 15 years now, so my memory goes back a ways. Plus, for example, my main system a Linux desktop. You can and should password protect your SSH keys, which further eliminates a number of key compromise scenarios.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: