Are passwords in ssh keys really necessary?

[Ticua]

They really seam to be just another hassle that won't add that much of security as it will probably be bruteforced anyways. Just asking this because I recently got ssh-bruteforced because I was lazy and set up ssh with password.

 

English is not my main language, point any mistakes if made Thanks

[Alex Atkin UK]

8 minutes ago, Ticua said:

They really seam to be just another hassle that won't add that much of security as it will probably be bruteforced anyways. Just asking this because I recently got ssh-bruteforced because I was lazy and set up ssh with password.

 

English is not my main language, point any mistakes if made Thanks

As I understand it its just an extra layer so that if your key somehow got leaked, they still would have to brute force to use it.

So no, its not actually necessary so long as your key is not compromised, or if it was you notice quick enough to revoke it from the server.

[BobVonBob]

An SSH key with a password is always more secure than an SSH key without a password. It's just an added layer of defense so that if an attacker gets your SSH key, they still need to crack the password as well. A strong password on an SSH key means that even if someone gets your key the server is still secure, although obviously that key should still be revoked.

[Sjaakie]

Depending on your use-case its most probably secure enough with just the keys. Key based auth is more secure than password auth anyway.