Nope, still unwise. Easy to steal, easy to clone, hard to script. Keys stored in hardware is simple and easy on most platforms these days. Yubikeys or Mac SEP is ideal.
Technically it's easier to steal a private key off of disk than it is to steal a password from inside a person's head or to plant a keylogger. If a keylogger is in place, someone can likely already also access your disk and the password used to protect the private key (or your password manager).
It depends on your use case. I have a personal server only I use use. In this use case, being able to access it from anywhere without any device trumps other considerations. The password is ideal.
In a corporate setting, things are of course different.
My use case is the same as yours. Malware can steal your credentials, it cannot steal mine. I also don't need fail2ban or to configure any of these new OpenSSH features. Users added to the server can't get compromised due to use of weak passwords.
Passwords are obsolete in 2024, and using them is very nearly universally bad.
> Passwords are obsolete in 2024, and using them is very nearly universally bad.
The first claim is obviously nowhere near being true, and the second seems very subjective.
As the other user is saying, strong passwords with proper security have minimal risk. More than certs or keys yes, but they offer sufficient security and the balance with convenience is currently unbeatable.
Besides, even if someone gets access to your server they should be limited and unable to do any real damage anyway. Defense in depth and all that.
> I also don't need fail2ban or to configure any of these new OpenSSH features
Me neither. If your password has sufficient entropy, you don't need any of this.
> Malware can steal your credentials, it cannot steal mine
The only solution around this is a hardware key or MFA. I find the convenience of not needing anything with me to be superior to the low risk of malware. I understand your opinion may differ here.
If your password is strong, it's not.