I'm curious about the security of using a very long password generated by OpenSSL (like from the command `openssl rand -base64 48`) to SSH into my VPS. After checking its strength on a password testing tool, it seems like it would take centuries to crack. I also noticed that when I enter the wrong password, my hosting company appears to add a delay before notifying me, which makes me think they'll catch any brute-force attempts if they happen. While I know the best practice is to use SSH keys and not rely on passwords, I wonder how much more secure that really is compared to just using a strong password. What's the security ratio between using strong passwords and SSH keys?
5 Answers
As long as the password is kept secure, it's not terrible for personal accounts. That being said, if your service mandates SSH keys, it's what you should stick to to avoid hassles.
Honestly, nobody from your hosting provider is going to alert you if someone breaches your VM. As per the shared responsibility model, it’s up to you to secure it. I’d strongly advise going for SSH keys and consider rotating them as well. If you must use passwords, opt for a passphrase for better security.
Using SSH keys is definitely the better route because they are harder to crack and can help prevent brute force attacks. You also get the added convenience of passwordless logins. It’s just a more secure method of authentication overall.
Long passwords are better, but a long password combined with an SSH key is even more secure. The combination maximizes security for your connections!
Best practice is always to use SSH keys. Keep usernames and passwords for local access or escalated privileges only. Remember, most hosting services leave the security on you, so it’s your job to monitor and secure your machine.
Totally agree! And many tools like fail2ban can help fend off brute-force attempts too.