My private SSH keys have passphrases of 19-20 random characters. I store them in a KeePass database (AES encrypted) so that I can copy/paste. For keys on my Mac, I've also allowed the KeyChain (Triple DES encrypted) to remember it so that I don't have to copy/paste it every time.
I think this approach should be more secure than trying to set memorable passphrases for all my keys. Thoughts?
I don't know about the grand parent, but personally I store that one in my brain. It's about 32 (maybe more?) characters and quite complex, but it's the only passphrase I need to use regularly so it's etched into my mind.
You don't even need to have a pass phrase that long with KeePass. It allows you to set the number of rounds of encryption to perform to make brute forcing even short master passwords infeasible.
Of course, that assumes the master password is chosen such that it isn't susceptible to your typical dictionary/hybrid-dictionary attacks.
You might still want to write that one down somewhere and store it somewhere safe (and probably hard to get to). A friend of mine recently forgot his PIN. A four-number code used regularly for over ten years. Just gone like that.
Your memory is a SPOF, and while generally robust for this sort of thing, it's not bulletproof.
You could use challenge response with the yubi (or just oath) and save the ssh key passphrase in keychain..
or you could get a yubikey neo and store the ssh key in the yubikey
neos can store the rsa key and use it to authenticate via ssh, as it has opengpg smartcard emulation support
I think this approach should be more secure than trying to set memorable passphrases for all my keys. Thoughts?