Password or Key Authentication for SFTP: Which Is Better?
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
There are two primary methods of authenticating users to an SFTP server. Password authentication is the simpler of the two methods, for both the server administrator and the user: The admin sets up a new account with a user name and password. The user uses that user name/password combination to log in to the server.
Key authentication is a little more complicated. In this case, the user must generate a key pair on their computer, export the public key, and send the public key to the server administrator (usually by email). The administrator can then set up the new user account on the server with that user’s public key. The user is then able to log into their account using that user name and key. This article will not go into the details of exactly how that authentication is performed, as it is not necessary for the purpose of discussing the pros/cons of the two techniques.
Any article that attempts to cover every difference between these two techniques would be longer than most people would care to read, so we will focus on the two topics that are most likely to affect how/if user data can become compromised:
- Inherent strength of passwords vs keys
- Where passwords and keys are stored
The first topic, the inherent strength of passwords vs keys, is relatively simple. Keys are stronger than passwords. Without going into the technical details, it is possible to guess passwords whereas it is not possible to guess a key. However, in practice, this difference can be minimized enough to make it irrelevant. For example, a common, simple practice is to require strong passwords. This can mean requiring complex combinations of letters, numbers, and symbols, but it can be as simple as requiring a password be long enough. Requiring passwords with a minimum of eight characters and blocking IP addresses that make 10 failed login attempts in a row is probably sufficient.
The second topic, where passwords and keys are stored, is more complex and also reveals more potential ways for an attacker to gain access to user data.
One important difference between password authentication and key authentication is what information is stored on the server. With password authentication, the password, or, much more commonly, a hash of the password, is stored on the server. This means that if a malicious user gains access to the password database, they could use various techniques to reverse the hashes and get all the passwords. Some might point out that if a such a user has already gained enough access on the server that they were able to compromise the password database, then they almost certainly have access to all the data in the user accounts, and it doesn’t really matter at this point what type of authentication is being used to protect those individual accounts.
However, this reveals another vector of attack. Consider the case where a user on your server has used the same user name and password for your server as on numerous other accounts (an unfortunate, but common, practice). If THAT server becomes compromised as described above, a common scenario is for hackers to attempt to exploit this fact and try the user name/password combinations they find on other servers. If they happen to try your server, and your user has re-used this user name/password combination, then the hacker will gain access to this user’s account.
While administrators can recommend that users NOT use the same username and password on multiple servers, there is no way in practice to enforce this. Therefore, as an administrator, you have to assume that this is happening and your server is open to this type of attack.
Servers using key authentication only are not susceptible to this type of attack as users’ keys are not stored on the server (neither your server nor any other server to which that user connects).
Advantage: Key authentication
In summary, while key authentication and password authentication can both provide reasonable protection for access to user data, key authentication has an edge over password authentication due to its ability to avoid one of the most common vulnerabilities caused by users not following best practices.
About the author
Errol Siegel is a Product Manager at Serengeti Systems Incorporated, a leading provider of secure, automated file transfer solutions for small to medium-sized businesses. Since 2001, Siegel has lead the team responsible for the Robo-FTP suite, a secure file transfer server and client built from the ground up for automating FTP, FTPS, SFTP, HTTP, and HTTPS file transfers and related tasks such as PGP encryption, ZIP, email (SMTP), and database access (ODBC).
Siegel holds a Bachelor’s degree in Aerospace Engineering from the University of Michigan.