Relative security of ssh password and public key to remote systems
I just know everyone is going to shout at me that public key is better but let me spell out the actual scenario first.
I have a small LAN at home, basically I'm the only regular user but other members of the family are connected occasionally. Physical security is reasonable (we're in a rural location) but fairly lax.
I connect, using ssh, to a variety of remote systems most of which are probably more secure (especially in the physical sense) than mine is. Thus the mostly likely break-in scenario is someone getting access to my desktop or laptop and trying to connect to a remote system.
So, if I use public key authentication, both parts of the key will be somewhere on my system (quite likely, by default, in ~/.ssh) so the obvious attack is to brute force the private key's passphrase which is quite possible since the public key is accessible too. However if I use password authentication there's nothing to attack at my end, which to my simple mind feels more secure. It's impossible to brute force because there's always a long delay at login after a failed attempt and most systems throw you off and/or lock you out after quite a small number of failed tries.
Yes, I know the actual connection process is more secure using public key, in that what gets sent across the internet is much less easy to get anything from. However the reality is what I have described above where the vulnerability is the private key's passphrase.
I guess the opinion here will be that I should make my system (home?) more secure so that there's no chance of anyone getting to my system to do what I've described above. But a similar scenario would apply to my laptop or even my phone (I run termux on that) both of which have a rather greater chance of being accessible to an intruder.
So, do I win anything by using public key rather than passwords, especially (now I think of it) on my laptop and phone?
