Edit: the security is essentially the same, but having one password every machine vs individual ssh keys seems like a huge advantage to me. Also ssh means you don’t ever accidentally allow read access that you don’t mean to.
Well, the situation in this case seems to be the exact opposite, i.e. reusing the same SSH key for multiple repos Vs. being easily able to have different passwords for different repos with a password-manager.
How would they get my private key? I mean if they already have access to my private key on my computer then I have much bigger problems than them having access to the anyway public git repos.
Perhaps I’m misunderstanding the thread model you have, but isn’t ssh the standard way of accessing git repos because it is so much more secure compared to a username and password?
They can impersonate you and push code into the repos in your name with a high likelyhood of you not noticing it.
The typical hobby dev machine isn’t particularly secure and for sure less secure than the typical server. Accessing everything from there with a single key is a pretty gaping security hole IMHO.
There seems to be this common misconception that ssh keys are more secure than passwords, but that is only true when you use really weak passwords that you keep in your head instead of a password manager.
If you want to actually increase your security then you need to set up a second factor auth with a seperate device.
Ok, I understand that this is a bit inconvenient, but you can use a password manager for the required git push logins.
But you are not concerened that someone compromising your ssh keys gets full access to all your repos?
Huh? ssh is much more secure than https.
Edit: the security is essentially the same, but having one password every machine vs individual ssh keys seems like a huge advantage to me. Also ssh means you don’t ever accidentally allow read access that you don’t mean to.
Well, the situation in this case seems to be the exact opposite, i.e. reusing the same SSH key for multiple repos Vs. being easily able to have different passwords for different repos with a password-manager.
How would they get my private key? I mean if they already have access to my private key on my computer then I have much bigger problems than them having access to the anyway public git repos.
Perhaps I’m misunderstanding the thread model you have, but isn’t ssh the standard way of accessing git repos because it is so much more secure compared to a username and password?
They can impersonate you and push code into the repos in your name with a high likelyhood of you not noticing it.
The typical hobby dev machine isn’t particularly secure and for sure less secure than the typical server. Accessing everything from there with a single key is a pretty gaping security hole IMHO.
There seems to be this common misconception that ssh keys are more secure than passwords, but that is only true when you use really weak passwords that you keep in your head instead of a password manager.
If you want to actually increase your security then you need to set up a second factor auth with a seperate device.