Why SSH Key Passphrases Matter
Without a passphrase, your SSH private key is an unencrypted file on disk. Anyone who gains access to your machine — through malware, physical theft, or unauthorized access — can use your key immediately without any additional authentication.
Passphrases vs Random Passwords for SSH
SSH passphrases are a good use case for the passphrase approach because you'll type them frequently. Five to six words from the diceware word list produces about 65-75 bits of entropy while remaining typeable in a few seconds with practice.
SSH Agent for Daily Convenience
The ssh-agent daemon decrypts and caches your private key in memory after you enter the passphrase once per session. You type your strong passphrase once at login and then authenticate seamlessly to any authorized server for the rest of your working session.
Rotating SSH Key Passphrases
You can change your SSH key passphrase without generating new keys using 'ssh-keygen -p'. This lets you rotate the passphrase periodically without needing to update authorized_keys on every server.
SSH key passphrases should be strong, memorable, and backed by ssh-agent for daily convenience. A five-word random passphrase provides excellent security without the friction of a long character string.