Comment by greatgib - Hacker Neue

greatgib Nov 23, 2025 parent

It's a total pain in the ass to try to have password encrypted gpg or ssh keys in mac. Nothing better that another way to make it even more painful and complicated, so that people will just store plain text keys to not be annoyed.

traceroute66 Nov 23, 2025

> It's a total pain in the ass to try to have password encrypted gpg or ssh keys in mac.

Who uses password encrypted keys anyway ? No exfiltration protection, and a sitting duck for unlimited automated password guessing attempts.

Pre-Tahoe people used Yubikeys or Secretive. But now this native tool is a better option than Secretive, even if Yubikeys still have their uses for the power-users.

fpoling Nov 23, 2025

With an ssh agent and time-bounded key expiration one can have very strong password on the key that is convenient to use.

Also password managers like 1password or Bitwarden support ssh-agent protocol so one can have a master password that protects both stored passwords and keys.

johncolanduoni Nov 24, 2025

How short of a time-bound do you use on your SSH keys?

fpoling Nov 24, 2025

It is set to 15 minutes due to specifics of automation scripts that we use so they can run uninterrupted.

newsoftheday Nov 23, 2025

> Who uses password encrypted keys anyway ?

Edit: I'm not suggesting an ssh key with a passphrase (or password) is better than what the article suggests; I'm only saying that adding a passphrase (or password) to an ssh key at least buys time to address the situation while the attacker is trying to break the encryption on the stolen key.

I am anti-Mac in every way, but I do use passphrase protected ssh keys so if someone were to get a copy of my ssh key, they would have to be able to break the encryption to use the key. I see a lot of devs using blank passphrases on their ssh keys, smh.

> sitting duck for unlimited automated password guessing attempts.

Using a passphrase on your ssh key has nothing to do with whether the ssh service is configured to allow or deny passwords.

lloeki Nov 23, 2025

> whether the ssh service is configured to allow or deny passwords.

Given the consistent use of "password" instead of "passphrase", I think they meant an exfil'ed encrypted key is vulnerable to no-rate-limit bruteforcing, in contrast with hardware-backed keys.

newsoftheday Nov 23, 2025

Right, but my context is that devs often use no passsphrase at all. If someone can get a copy, they have instant access to whatever it has access to. They don't need to even break encryption since the key has none if none has been applied. My stance is simply, at least add a passphrase to the key (though some call it a password).

lloeki Nov 23, 2025

gotcha, thanks for clarifying!

Xylakant Nov 23, 2025

The parent means that an attacker has unlimited attempts at breaking the passphrase on an exfiltrated key. Once the key passphrase is broken, they can log in using the key.

newsoftheday Nov 23, 2025

Right, but my context is that devs often use no passsphrase at all. If someone can get a copy, they have instant access to whatever it has access to.

manuelabeledo Nov 23, 2025

This looks like the complete opposite, though? It’s easy and provides a convenient way to integrate SSH and TouchID.

acdha Nov 24, 2025

It’s been easy since the 2000s. This makes it easier to be safer than the built in SSH agent + Keychain but pure usability was a solved problem around by the turn of the century.

newsoftheday Nov 23, 2025

> It's a total pain in the ass to try to have password encrypted gpg or ssh keys in mac

I'm anti-Mac but for the year recently that I had to use one at work, no choice...I had no issues, none, using gpg or using a passphrase on my ssh keys.

tiltowait Nov 23, 2025

I've used password-encrypted keys on a Mac plenty of times. It was easy to add them to the SSH agent to not require a password after initial authorization, if that's what I wanted. What is the issue I'm not seeing?

This item has no comments currently.

Preferences

Keyboard Shortcuts

Story Lists

Navigation

Miscellaneous