<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Password or Key Authentication for SFTP: Which Is Better?

Published on
3,812 Points
812 Views
Last Modified:
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Password or Key Authentication for SFTP: Which Is Better?

There are two primary methods of authenticating users to an SFTP server. Password authentication is the simpler of the two methods, for both the server administrator and the user: The admin sets up a new account with a user name and password. The user uses that user name/password combination to log in to the server.

Key authentication is a little more complicated. In this case, the user must generate a key pair on their computer, export the public key, and send the public key to the server administrator (usually by email). The administrator can then set up the new user account on the server with that user's public key.  The user is then able to log into their account using that user name and key. This article will not go into the details of exactly how that authentication is performed, as it is not necessary for the purpose of discussing the pros/cons of the two techniques.

Any article that attempts to cover every difference between these two techniques would be longer than most people would care to read, so we will focus on the two topics that are most likely to affect how/if user data can become compromised:

1. Inherent strength of passwords vs keys
2. Where passwords and keys are stored

The first topic, the inherent strength of passwords vs keys, is relatively simple. Keys are stronger than passwords. Without going into the technical details, it is possible to guess passwords whereas it is not possible to guess a key. However, in practice, this difference can be minimized enough to make it irrelevant. For example, a common, simple practice is to require strong passwords. This can mean requiring complex combinations of letters, numbers, and symbols, but it can be as simple as requiring a password be long enough. Requiring passwords with a minimum of eight characters and blocking IP addresses that make 10 failed login attempts in a row is probably sufficient.

Advantage: Tie

The second topic, where passwords and keys are stored, is more complex and also reveals more potential ways for an attacker to gain access to user data.

One important difference between password authentication and key authentication is what information is stored on the server. With password authentication, the password, or, much more commonly, a hash of the password, is stored on the server. This means that if a malicious user gains access to the password database, they could use various techniques to reverse the hashes and get all the passwords. Some might point out that if a such a user has already gained enough access on the server that they were able to compromise the password database, then they almost certainly have access to all the data in the user accounts, and it doesn't really matter at this point what type of authentication is being used to protect those individual accounts.

However, this reveals another vector of attack. Consider the case where a user on your server has used the same user name and password for your server as on numerous other accounts (an unfortunate, but common, practice). If THAT server becomes compromised as described above, a common scenario is for hackers to attempt to exploit this fact and try the user name/password combinations they find on other servers. If they happen to try your server, and your user has re-used this user name/password combination, then the hacker will gain access to this user's account.

While administrators can recommend that users NOT use the same username and password on multiple servers, there is no way in practice to enforce this. Therefore, as an administrator, you have to assume that this is happening and your server is open to this type of attack.

Servers using key authentication only, are not susceptible to this type of attack as users' keys are not stored on the server (neither your server nor any other server to which that user connects).

Advantage: Key authentication

In summary, while key authentication and password authentication can both provide reasonable protection for access to user data, key authentication has an edge over password authentication due to its ability to avoid one of the most common vulnerabilities caused by users not following best practices.

About the author

Errol Siegel is a Product Manager at Serengeti Systems Incorporated, a leading provider of secure, automated file transfer solutions for small to medium-sized businesses. Since 2001, Siegel has lead the team responsible for the Robo-FTP suite, a secure file transfer server and client built from the ground up for automating FTP, FTPS, SFTP, HTTP, and HTTPS file transfers and related tasks such as PGP encryption, ZIP, email (SMTP), and database access (ODBC).

Siegel holds a Bachelor’s degree in Aerospace Engineering from the University of Michigan.
0
Comment
Author:eksatx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
0 Comments

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Join & Write a Comment

Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month