SSH.COM is one of the most trusted brands in cyber security. We help enterprises and agencies solve the security challenges of digital transformation with innovative access management solutions.
A passphrase is similar to a password. However, a password generally refers to something used to authenticate or log into a system. A password generally refers to a secret used to protect an encryption key. Commonly, an actual encryption key is derived from the passphrase and used to encrypt the protected resource.
A good passphrase should have at least 15, preferably 20 characters and be difficult to guess. It should contain upper case letters, lower case letters, digits, and preferably at least one punctuation character. No part of it should be derivable from personal information about the user or his/her family.
Sometimes there is a need to generate random passwords or phrases automatically. We also offer an entirely browser-based secure online password/passphrase generator.
The purpose of the passphrase is usually to encrypt the private key. This makes the key file by itself useless to an attacker. It is not uncommon for files to leak from backups or decommissioned hardware, and hackers commonly exfiltrate files from compromised systems.
To use an encrypted key, the passphrase is also needed. In a way, they are two separate factors of authentication.
SSH keys are used for authenticating users in information systems. The SSH keys themselves are private keys; the private key is further encrypted using a symmetric encryption key derived from a passphrase. The key derivation is done using a hash function.
Passphrases are commonly used for keys belonging to interactive users. Their use is strongly recommended to reduce risk of keys accidentally leaking from, e.g., backups or decommissioned disk drives.
In practice, however, most SSH keys are without a passphrase. There is no human to type in something for keys used for automation. The passphrase would have to be hard-coded in a script or stored in some kind of vault, where it can be retrieved by a script. An attacker with sufficient privileges can easily fool such a system. Thus, there would be relatively little extra protection for automation.
More than 90% of all SSH keys in most large enterprises are without a passphrase. However, this depends on the organization and its security policies.
Private keys used in email encryption tools like PGP are also protected in a similar way. Such applications typically use private keys for digital signing and for decrypting email messages and files.