One of the very best things about secsh (the IETF's working groups sometimes have fun names, hence their group replacing the Common Authentication Technology is named 'kitten') was that they specifically required Public Key Authentication as a MUST in the standard.
That doesn't mean everybody's SSH setup actually does public key auth, in fact since quite intentionally IETF standards have no "teeth" it doesn't even mean nobody ignores the MUST and refuses everything except passwords, but it does mean one less excuse.
If you use public key authentication then the bad guys in this scenario only get a small privacy hole, whereas if you used passwords they learn your credentials and can impersonate you.
I’m puzzled. They got a load of people’s public keys? So what?
Or they got something that's not clearly described from the article. I don’t know what “ssh password” is stored in clear text. A private key's passphrase isn't cleartext and isn't on the server!
It's not like having access to GoDaddy's accounts directly would change something for this specific hack. 28,000 credentials is a substantial heist considering the foul play one could achieve with that many (sub)-websites.
It makes you wonder how many hosting companies have never caught up on backdoors that were added 10~ years ago. For the most part, security these days runs much tighter than it did in the days of simple PHP shells.
Now that's a highly respected company that doesn't ever upsell it's crap services and certainly never plays domain-name games. Lol.
Go Daddy stinks. It's bad. Avoid them.
Their entire market gambit is "fool the less technically savvy while acting authoritative"...
I can gossip about them at length if required, but let's rather not, and say we did.
Pretty much any other crap host will be better, even a 1and1 or something...
One of the very best things about secsh (the IETF's working groups sometimes have fun names, hence their group replacing the Common Authentication Technology is named 'kitten') was that they specifically required Public Key Authentication as a MUST in the standard.
That doesn't mean everybody's SSH setup actually does public key auth, in fact since quite intentionally IETF standards have no "teeth" it doesn't even mean nobody ignores the MUST and refuses everything except passwords, but it does mean one less excuse.
If you use public key authentication then the bad guys in this scenario only get a small privacy hole, whereas if you used passwords they learn your credentials and can impersonate you.