Passphrase - Secret Used to Protect Keys
A passphrase is similar to a password, but is used for protecting encryption keys or authentication keys. With SSH keys, it is typically used for encrypting the identity keys used for authenticating users.
The purpose of the passphrase is to make the private key itself useless to an attacker who may obtain a copy of the key. To use the key, the passphrase is also needed. In a way, the key file and the passphrase are two separate factors of authentication.
A private key may have a passphrase or may be without a passphrase (or have an empty passphrase). If a private key has no passphrase, anyone with access to the key file can use the private key.
Passphrases with SSH Keys
SSH keys are also used for authenticating communicating devices when used as host keys. Host keys are almost always without a passphrase. The purpose of host keys is to prevent man-in-the-middle attacks.
In practice, most SSH keys are without a passphrase. Passphrases are commonly used for keys belonging to interactive users. However, for keys used for automated access, there is no human to type in a passphrase. The passphrase would have to be hard-coded in a script or stored in some kind of vault, where it can be retrieved by a script (which a root-level attacker can fool). Thus, passphrases provide relatively little added value for keys used for automation. In practice, more than 90% of all SSH keys in large enterprises tend to be for automation, and sometimes their number is in the millions. Use of proper SSH key management tools is recommended to ensure proper access provisioning and termination processes and regulatory compliance.
Generating a Good Passphrase
A good passphrase should have at least 15, preferably 20 characters and be difficult to guess. It should contain upper case letters, lower case letters, digits, and preferably at least one punctuation character.
For automated applications, it may also be helpful to generate passphrases automatically. See passphrase generator. Use of online passphrase generators is not recommended due to security reasons.