Note: The following is from a posting I made to the local Linux User’s Group mailing list.
I’ve done a lot of thought over the years about the Internet and security and, while I am not a security expert, I’ve come to the conclusion that this paranoia about cleartext passwords isn’t justified. People see a social problem (protecting your information) and figure it has a technical solution (encryption). Encryption can help, but it has to be used correctly. And it can’t replace careful thought and action.
Now, by no means am I advocating cleartext passwords. I’m SSLed, TLSed, SSHed, and GPGed out the wazoo. But, there is a negligible difference between the amount of work necessary to get your cleartext password as it travels over the wire and capturing your keypair.
There are a couple of reasons I’ve come to this conclusion.
- The primary risk is not how or if the password travels over the wire.
- The wire is relatively secure from taps.
The second item first: Today’s switched networks mean that access to the packets going over the wire involves compromising some hardware — most likely one of the endpoints.
That is, I have more reason to fear someone who compromises a server I connect to than someone who compromises MAE East. Why? Because my traffic at MAE East is statistically insignifigant. Anyone with a password sniffer there is going to be overwhelmed with data. Besides, my data isn’t going through MAE East.
If someone compromises the server that I’m connecting to, I’m still not too worried if all they do is put up a password sniffer. That’d be a pretty stupid cracker. Whoop-ti-doo. A bunch of random passwords. In most places, that’s meaningless — they already have access to the server and all the data on it.
And if I can break into the server you’re using, then who’s to say I can’t break into your box and steal your keys?
I’m more afraid of the cracker who compromises the server and replaces the binaries to log all of my activity.
But, the reality is that while break-ins should be prevented, most break-ins cause very little harm other than loss of time and (rarely, you do have backups, don’t you?) loss of data. Usually, the cracker just wants a jumping-off spot.
And, anyway, as I said, the real risk is not cleartext passwords. It’s user stupidity.
If I’m a malicious guy who’s out to cause you damage, then it is far more effective for me to call you or your spouse up on the phone, pose as someone you should trust, and rob you blind.
Yes, all that encryption is important, but it isn’t that important. It’ll only stop the idle script kiddie. The people you should really be afraid of won’t even bother with it.
And, get this: No one really cares about your shell account.
That’s what all this is about anyway.
Figure out who you’re afraid of and why so you can make sensible decisions about what you’re doing. Otherwise, you’ll put your passwordless keypair on a USB key and forget the key at your friend’s house.
And your friend has more reason to be interested in what’s on the key than most people do.
Heck, I used to regularly get requests from random individuals who wanted to know if I could to hack into the account of a wife, a friend, or a lover. You have more reason to fear people those people (who have access to your unprotected keypair) than you do from the script kiddie sniffing passwords.
Remember, using a passphrase involves one extra step, but adds an order of magnitude (or more!) of protection. Use ’em!