Considering to remove all passwords and making hardware key mandatory

I am currently thinking to disable + remove all passwords and replace it with keys only, which means for you the user that only hardware based login would be possible, however this would also mean that there are no password reset possible and that the user has a Nitrokey, Yubikey or another hardware key on hand.

Secure passwords have two problems when compared to certificates:

  • They’re symmetric keys, not asymmetric. If I can intercept enough of your authentication exchange in the clear to grab your password, that’s it - the password is compromised. Certificates are asymmetric keys; the actual authentication exchange is based on using the key to encrypt a random chunk of data, thus demonstrating that you hold the other half of the key, so even if I can intercept the authentication exchange, I can’t authenticate as you in future.
  • A good password manager password will use the Base 64 alphabet or similar, for 6 bits per character. That means you need minimum 19 characters of password to match a 2048 bit RSA key or a 224 bit elliptic curve key. To match a 384 bit elliptic curve key (current NSA recommendation for key length until we get post-quantum cryptography), you need a 64 character password. This ends up being a lot larger than most people put in their password manager databases.

This is something I consider for next year, this is a bigger challenge because it would also affect all databases as well as SSH connections in general. There is also the performance point to consider.