It is widely believed that public/private keys or certificates are “more secure” than passwords. E.g., an SSH login via key rather than using a password. Or a site-to-site VPN with certificate authentication rather than a pre-shared key (PSK). However, even certificates and private keys are not unlimited secure. They can be compromised, too, since the public-key cryptography only implies that private keys won’t be exposed if a brute-force attack is nearly impossible.
So, what’s the real security level of passwords compared to public keys/certificates?
The basic question is: How can an attacker brute-force a password or a private key? And how long does he need for that breach? In both cases he would be able to use these credentials to impersonate as the real person/device and could login into the system. So, what are the security levels (bits of security) for passwords compared to private keys / certificates?
The following graph shows the security levels of passwords compared to private keys. It assumes that passwords are chosen randomly (!!!) out of 83 characters (0-9, a-z, A-Z, and 21 special characters, refer to Password Strength/Entropy), while the security levels for the RSA/DLOG algorithms are taken from the ECRYPT II Yearly Report 2012. The y-axis shows the security level (bits of security) while the five bars show the necessary key sizes and password lengths.
The raw values are the following:
For example, a 1024 bit RSA certificate offers 73 bits of security. This can be compared to a password with 12 characters, which offers 79 bits of security.
Certificates or public/private keys are not “more secure” by default. It depends on the key size. If, for example, a pre-shared key with more than 16 characters is used for authenticating VPNs, it has the same security level as a 2048 bit certificate! Furthermore, the security of this PSK can be extended if more characters are used, while it is not easy in all situations to use longer key sizes for certificates.
However, it also heavily depends on the overall scenario! There are situations where a login via certificate is easier for the end user. Similarly, there are situations in which a simple password is better because of its handling, e.g. for site-to-site VPNs. If the password is long enough (and chosen randomly), there is no problem from the mere math perspective. However, the handling of certificates might be much easier and more secure in other situations. For example, you can use hardware security modules (HSM) for certificates that won’t ever expose the private key, while an easy pre-shared key might be copied to the wrong destination and it’s gone. That is: Though the bits of security might be comparable between public key cryptography and mere passwords, it still “depends”. ;)
Final note: For a login to a critical system, two-factor authentication should be used anyway. In this case, a password AND certificate can be used. Or a password and a token. Or a certificate and an SMS. Or or or.