Filter by Category

Are SSH Keys or Passwords Better for SFTP Authentication?

ssh keys or passwords for sftp authentication

SSH keys or passwords? That’s the question often asked by IT professionals when setting up authentication on an SFTP server. There’s some debate on whether SSH keys or passwords are better at protecting and validating company SFTP servers, and the consensus is never official.

What are the real differences between these methods? How do they work? Is one really better or more secure than the other?

Password Authentication

Authenticating an SFTP server with a password is simple. The administrator creates a username and password combination for a user. After the setup is complete, whenever the user signs in, the server checks the username/password combination and approves or denies the request based on whether the password is correct.

To make this method secure, the admin can enable a failsafe: if someone incorrectly tries the password more than x amount of times in x minutes, they’ll be blocked from the account. The admin can also set passwords to meet certain requirements (i.e. a specific length or includes capitalized letters, numbers, and symbols) and expire after a certain number of daysthough whether this practice really prevents data breaches is still up for debate.

Pros: Easy to implement, can expire, can be assigned policies

Cons: Can be brute-forced, prone to human error and weak password creation, password policies may frustrate employees

SSH Key Authentication

Authenticating an SFTP server with a SSH key requires a little extra legwork, but it's a useful option for extra security. An SSH key pair is comprised of a private key and public key portion. The key pair is automatically generated by the computer and can be up to 4096 bits in length, which is much longer than a typical password.

You have a private key that’s kept on the SSH client software and a public key that’s kept on the SSH server.

Once the public and private keys are stored, the client software can authenticate against the SSH server. Some SFTP servers require both an SSH key and password for additional authentication. Anyone who tries to login with the username or password (or both) but doesn’t have the correct private/public key match will be denied access to the server, regardless of whether they try to brute-force it.

Pros: Are typically much more complex than a password, aren’t human generated, can have a password added for another factor of authentication, more complicated to brute-force than passwords

Cons: Don’t expire, prone to physical theft if someone takes the device they’re on, some key pairs are used across multiple SFTP servers which makes the private key valuable (and vulnerable)

So, Which Method is Better? SSH Keys or Passwords?

Questioning what the best SFTP security best practice is doesn't have an easy answer. Both SSH keys and passwords have their advantages and disadvantages; it depends on what your organization needs and how strong your cybersecurity policy is. Neither method is completely immune to compromise. There’s no one option that’s foolproof.

However, if you’re not sure which one to use, we recommend using SSH keys and a password to authenticate your users against an SFTP server. Many big companies (including GitLab) suggest using a password with your SSH key as best practice. IT forums like StackExchange often say the same.

The biggest argument for using both? If someone compromises your private key (i.e. steals your device or installs malware on it), they won’t be able to compromise the SFTP server without the password/passphrase. And if someone has your password but not your private key? Game over for them. Of course, this isn’t foolproof either, but it’s dual-factor authentication … which is a step above password-only for SFTP authentication.

GoAnywhere Managed File Transfer supports the use of SFTP to secure, automate, and audit file transfers. You can authenticate users with a passwords and SSH keys, meaning you can choose one, the other, or both to satisfy your IT security requirements. With our SFTP client, you can also deliver and retrieve files from your SFTP server through an encrypted tunnel, transfer multiple encrypted files per connection, set up alerts for failed transfers, and more.

What are your thoughts on the SSH key vs password debate? Tell us in the comments below.

Latest Posts


What is the California Consumer Privacy Act?

January 23, 2020

The California Consumer Privacy Act (CCPA), the latest data privacy law in the Golden State, went into effect on January 1st, 2020. Some have compared it to the UK’s GDPR (General Data Protection…


How to Evaluate MFT Vendors

January 22, 2020

How to Evaluate MFT Vendors You know you want one – a powerful managed file transfer (MFT) solution – that enterprise solution that’ll make life easier, support multiple secure protocols, help…


How Are Your Peers Utilizing Automation in GoAnywhere?

January 21, 2020

The Uses are Endless It’s no secret that automation is a great way to boost your business. It can save time, money, and important resources. But how is it being used by your peers on a day-to-day…


5 Projects You Could Tackle with a GoAnywhere Trial

January 14, 2020

It's happened to us all – you start a free software trial, only to get stuck at step 2: what to do first? Plotting a plan of attack before your first login can help you get the most out of your…


Is Automation All It’s Cracked Up to Be?

January 13, 2020

Automation is Key We’ve all had our moments of being skeptical when something sounds too good to be true. However, automation is no joking matter. Automation is a great way to boost your business…