Can you please elaborate how it is "asking for it" if we assume the basic auth password is reasonably complex and kept as safe as, say, the SSH login credentials of the same server?
Can you please elaborate how it is "asking for it" if we assume the basic auth password is reasonably complex and kept as safe as, say, the SSH login credentials of the same server?
You shouldn't be logging in to a server via SSH using a user+password combo, instead use a public/private key combo which is considerably more complex and can't effectively be bruteforced like a user+password.
Most web servers don't really come with any built in defense against brute force attempts vs Basic Auth gates, so unless you've set something up to protect it, someone with enough time will eventually get in.
> "can't effectively be bruteforced like a user+password."
Only when the password is weak enough to bruteforce swiftly. It will take literally thousands of years to bruteforce strong passwords.
But you only need one weak password to get in
But you only need one password to protect your HTTP auth phpMyAdmin so just make it 30 characters.
> someone with enough time will eventually get in
That's only correct if the password is weak. With enough entropy, it's practically impossible to brute force.
Genuine question that I haven't found a good solution to yet, if I want to just go to any old computer and ssh into my server, do I have to carry around a USB stick with the ssh key on or something? because I sure as hell wont be able to just remember it
The preferred solution would be something like a Yubikey. However:
> just go to any old computer and ssh into my server
You've typed your password into a computer you don't control. Now it's gone. Same for plugging in the USB stick. The Yubikey approach mitigates that.
Assuming you want to do this, the best practice you can achieve is just making the password long.
I mean, the password to the only ssh thing accessible from outside is 17 characters, and root is not ssh-able, only my user with a custom username
There's no secure way to do that. You have no guarantee that the computer won't copy your key or keylog your password.
You can mitigate it by using an MFA method that requires confirming on a separate device like a phone, but that's down to one layer of defense.
I use an SSH app on my phone for remote access, and I go over a VPN. SSH is not exposed to the public internet.
In that case I'd normally recommend a bastion host with SSH MFA and fail2ban. It'd be publicly available and have SSH keys for other machines. Or you could look at setting up a VPN solution with MFA, but never have a password only admin login exposed to the public Internet.
I haven’t used it for many years now, but phpMyAdmin was long a source of compromises. Lots of security holes.
That's my point - if you have a reasonably secure password (let's say 50-100 characters, fully random), it's extremely unlikely that anyone is ever going to even get beyond the basic auth prompt.
Until there's a bug that lets you bypass it.
Then you should also be worried about bugs that let you log into an SSH session without providing your SSH certificate, passkey or whatever. Authentication bypass can happen with pretty much any buggy authentication method. None of this is inherently a problem of passwords or basic auth.
Sure, but phpMyAdmin has a long history of major security holes. It's existence on a server tends to be a red flag.
Again, the premise was that phpMyAdmin is secured behind basic auth. It doesn't matter how secure or insecure phpMyAdmin is, it only matters how secure whatever webserver is that it is served through. phpMyAdmin code isn't even touched before the basic auth login was successful. Only after that, it becomes relevant, in that you either find a hole in phpMyAdmin itself, or you have to break another (hopefully strong) password for the MySQL login itself.
It's not using the webserver's basic auth, it's using their own implementation (https://github.com/phpmyadmin/phpmyadmin/blob/297c1e174b93a9..., via PHP's: https://www.php.net/manual/en/features.http-auth.php).
You can easily put phpMyAdmin behind basic auth as an additional security layer, completely bypassing any PHP execution and letting the web server completely handle the authentication. It's exactly what I have done multiple times in the past. Arguably phpMyAdmin's direct integration is a less secure way of doing it, but do we even know if it's the basic auth itself that was bypassed, or was it just the case of a weak password?
Sure, and I can put the VX gas vials in a safe in my basement, but I'd rather not have them anywhere near me at all.
A password is just plain text, which apart from being bruteforced, can easily be phished. There are so many things wrong with using a password even if it's fairly complex. Instead, stick to passkeys and SSH keys