Posted by: Eric Hansen
In my SSH Picaso post, I mentioned about how the fingerprint is displayed as ASCII art. But what if we took that a step further? What if that ASCII art was our password?
The fingerprint of a keyfile is supposed to be as unique as the keyfile itself, as its derived from the data, right? Who is to say then that we cannot compare arts and match what we have stored with what we received? The article I linked to in the post made a good attempt at doing similar with GPG, and I commend the author in it. But what about SSH?
Sure, public key authentication is amazing, but what if it isn’t good enough anymore? What if we have to end up encrypting those files via GPG to make it secure? There’s a lot of what if’s but not that many answers.
This would also open the doors of storing ASCII art in the database instead of hashes for passwords, and using the password itself as the fingerprint. Of course it’d still have to be salted to reduce collision, but its one more method that could be useful.