On 11/10/2015 11:26 AM, Michael Orlitzky wrote: > On 11/10/2015 11:13 AM, J. Roeleveld wrote: >> >> What would take longer? >> brute-forcing your root-password or a 4096 byte ssh key? >> > > My password, by a lot. The password needs to be brute-forced over the > network, first of all.
I realized this wasn't correct while I was in the shower =P To tell if you decrypted the key properly, you need to send it over the network, so verification of a brute-force attempt on the SSH key takes about the same amount of time as a brute-force attempt on the root password. The root password in my head is safe against crypto attacks though, so if we're just arguing for fun, it's probably still safer. Adding the key *in addition to* the root password still only gives you a constant factor improvement, and I'm not worried whether it takes the bad guys 4,359,811,353 or 8,719,622,706 years to log in. My time would be better spent taking karate lessons to prevent one of those other attacks I mentioned.