In general we find 4-5 keys every couple of months and about 50% of the time they have no encryption key on them. This means that if the key had been found by a third party, they could use them without any problems in getting access to any server the public key has been placed in an .ssh/authorized_keys file. And while I have not tested the passwords on the encrypted id_rsa keys, I have tested some private created ones and found that the brute forcing is a lot faster than what is possible against the sha512crypt() used to encrypt Fedora passwords.
With this in mind, it is always important to make sure your SSH private keys remain
- on hardware that you control and not uploaded to services in the cloud.
- password encrypted with a password at least 10 characters in length and not easily guessable. [Using passwords like "fedoraproject", "password", "sshpassword", or the favourite "123456" are not hard to find or guess by an attacker]
[smooge@seiji-wlan ~]$ for ((i=0; i<10; i++)); do /usr/bin/pwqgen random=65; done bias Blaze Crook Primal Shore Borrow tilt Macro Beef leo Growth Reside Dolly prompt openly Crawl sigh Boyish thrill lake Past Urgent Carbon Orient Wrap root Arm Book Candy iowa chalk Plasma Champ Active motion Pause border Retina Mrs storm fault Mouth Xerox inward snatch advert apex Mature Akin playChose the line you like the best.