Security of ssh key passphrases - i.e. where to save them?

Sun Aug 18 14:22:29 UTC 2024

On Sun, 18 Aug 2024 at 13:00, Ralf Mardorf wrote:
>> I regularly receive blackmail emails containing my passphrases, which
>> are impossible to guess and which I actually use.
>
> In that case you must be doing something very wrong.  I have never,
> ever, had such an email, or anything even similar.

Hi Colin,

your conclusion simplifies the facts.

The blackmailers claim to have my computer firmly in their hands and my
webcam switched on and present a password that I really use.

1. A webcam that is not present cannot have been activated.

2. It is not possible to gain access to a user or root account on my
computer with those passwords. These are always passwords from mailing
lists, bug trackers or similar accounts.

3. I receive blackmail or other spam, not a huge amount, but some mails
a day, usually without a password. A lot of mailing list emails are
filtered by Yahoo and Co, hence I don't receive them. At the moment I
only receive my own mails via Ubuntu users, while all other mails, like
your reply are are being held back. IOW spam filtering isn't perfect.
You are the first one I heard of, who is lucky with perfect spam
filtering.

I tried to log in the Yahoo account. My password is correct, I have made
ticks at zebra crossings, motorbikes and buses, but I don't receive the
"security confirmation mail" by another email account. Those mails are
even not in the spam folder of this account.

Without going into further details, if you summarise this and other
facts (I try to keep it short), it looks more likely that the weak point
is not mine. The weak points obviously lie elsewhere.

Of course, it's easy to write a flippant sentence like that, saying that
if it's the way it is, then it must be because of me. But that doesn't
do justice to the realities of security issues.

Again, regarding Chris' concern, password-based attacks are negligible,
access is usually gained in other ways.

As for blackmail spam, it's very common here in Germany and it's easy to
guess where it comes from. A popular scam is the reference to sexuality,
which is forbidden and/or socially ostracised in certain countries. In
Germany, however, it is neither legally nor socially relevant. Email
addresses with passwords belonging to accounts from Flyspray to Mailman
are offered on the so-called dark web. The blackmailers then guess by
looking down their backwoods noses and assume that the world is as grey
everywhere as it is in their living environment.

IOW those passwords are from Flyspray to Mailman, not to gain access by
SSH, neither to a private desktop PC, nor a to a nuclear power plant.

Regards,
Ralf