Password based authentication is the "legacy" entry point for SSH (https://medium.com/@boutnaru/the-linux-security-journey-openssh-eeb7d168f8e5) — as shown below (https://production-comptiawebsite.azurewebsites.net/blog/3-steps-to-implement-ssh-key-based-authentication). It is convenient because it leverages existing system credentials using PAM (https://medium.com/@boutnaru/the-linux-security-journey-pam-pluggable-authentication-module-388496a8785c), but inherently dangerous. While it requires zero setup, it transforms your SSH port into a primary target for brute force and dictionary attacks. The core risk lies in human fallibility: passwords are "static" credentials, often reused across platforms or weakened by predictable patterns to aid memory (https://infisical.com/blog/ssh-certificates-guide).

Overall, if we have to use passwords we must move beyond simple "strong passwords" and implement a defense in depth strategy. Starting with enforcing high entropy passphrases ("pam_pwquality") and strictly limiting access to specific users or groups using the "AllowUsers" directive in "sshd_config". To neutralize automated attacks, we can leverage deploy "Fail2Ban" (https://medium.com/system-weakness/the-linux-security-journey-fail2ban-10c8da33d46f) to dynamically drop traffic (IPs exhibiting brute force patterns) and configure "pam_faillock" to temporarily disable accounts after repeated failures. Also, use centralizing logs and monitoring for identifying anomalies (https://frontegg.com/blog/ssh-password-authentication-security-risks-and-top-5-alternatives).

Lastly, the OpenSSH daemon leans toward accessibility. If we haven't explicitly defined the PasswordAuthentication directive in your "sshd_config file", the service defaults to "yes" (https://serverpilot.io/docs/guides/ssh/password-auth/). There are other authentication mechanisms supported by OpenSSH like SSH keys (https://www.cyberciti.biz/faq/how-to-disable-ssh-password-login-on-linux/) and SSH certificates (https://smallstep.com/blog/use-ssh-certificates/) — more on those in future writeups.

See you in my next writeup ;-) You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru). Also, you can read my other writeups on medium — https://medium.com/@boutnaru. You can find my free eBooks at https://TheLearningJourneyEbooks.com.