Step 4.2 Passphrase Considerations

Problem: SSH private keys are protected with a passphrase rather than a password. What makes a good passphrase?

A passphrase differs from a password in that it should be composed of multiple words and more difficult to guess. The same rules that apply to creating good passwords also apply to creating good passphrases. The following is a list of suggestions for creating a good passphrase.

1. Make the passphrase at least 6 words or about 40 characters long. The longer the passphrase, the harder it will be to guess.
2. Use a mixture of upper- and lower-case letters within the passphrase.
3. Use non-alphabetic characters, such as numbers or punctuation, within the passphrase. The use of non-alphabetic characters makes a passphrase increasingly difficult to guess.
4. Don't make your passphrase a common or popular sentence or phrase. Using a string of nonsensical or random words will make your passphrase stronger.

Of course, it is possible to use an empty or null passphrase when using SSH. This is strongly discouraged as anyone who is able to obtain your private key would be able to impersonate you. However, there are times when an empty passphrase may be necessary, such as for an automated script or batch job. In these cases, it is recommended that a separate account on the remote machine be created for the automated script or batch job. By creating a separate account and limiting the account's privileges, you can at least minimize damage if it is compromised.