Ideally, you'd have an additional OTP token (or app on your cellphone which provides an OTP code), which is an additional "something you have". It's the poor-man's 2 factor authentication.
Mobaxterm portable vs installer password#
In the case of private keys, what you know is the unlock password for your private key, and what you have is the protected private key itself. Ideal authentication consists of at least 2 things:
![mobaxterm portable vs installer mobaxterm portable vs installer](https://miro.medium.com/max/1400/1*PSkaFA7S5Tc36xhgWDe-CQ.png)
A non-password protected private key can just be copied around, so sure, they're not perfect, but they're far better than passwords. They also always have to be password protected to be effective - this is their weak point. Private keys are supposed to be personal, and should be treated that way. Oh and don't be silly to use some cloud-based solution - that's asking for troubles. Hardly anyone uses a decent password manager, which imho is an absolute must when working in IT, because you will have to use passwords at certain points, and there aren't many tools I trust. They cannot in any way figure out what the private key is that corresponds to a public key. In the case of pub/private key authentication, the only thing they can do is give you access to another machine. When using passwords, they have in the best scenario some encrypted/bcrypted/hashed form of the real password - which can potentially be brute-forced.
![mobaxterm portable vs installer mobaxterm portable vs installer](https://d33v4339jhl8k0.cloudfront.net/docs/assets/564b4bd3c697910ae05f445c/images/602410ccac2f834ec538788f/file-3hTLVpkh28.png)
insecure: Are you sure your favourite ssh/rdp/.annoying: you have to type them in every time.If they can choose passwords, they will reuse the same password on multiple locations (now who didn't do that?) hard to remember: people will write them down, keep them in text documents or hell, even excel files if they're forced to remember lots of passwords.