Passwords vs keys vs tokens (when to use which)

Topic: Security basics

Choose the right credential type for each use case: passwords for human login, keys for SSH and automation, tokens for APIs and short-lived access. Use this when designing auth for a service or when replacing passwords with stronger methods.

Intent: Decision

Quick answer

  • Passwords are something you know; good for human login but weak if reused or leaked. Use strong policy and MFA; avoid for machine-to-machine where keys or tokens are better.
  • Keys (SSH, PGP) are cryptographic; use for SSH login and automation. Store private keys securely; rotate and revoke when compromised or when someone leaves.
  • Tokens (API keys, OAuth, JWT) are for APIs and apps; prefer short-lived and scoped tokens. Rotate API keys; use OAuth so users do not hand passwords to third-party apps.

Prerequisites

Steps

  1. When to use passwords

    Passwords for human login to UIs and services where keys are not supported. Enforce length and complexity; require MFA for admin and sensitive systems; never use the same password across systems.

  2. When to use keys

    SSH keys for server and Git access; PGP for signing and encryption. Keys are stronger than passwords for automation; protect private keys with passphrases and restrict file permissions.

  3. When to use tokens

    API keys for service-to-service; OAuth tokens for user-delegated access; JWT for stateless sessions. Prefer short-lived and scoped tokens; rotate API keys and revoke when not needed.

  4. Avoid mixing

    Do not use passwords for scripts or CI; do not put keys in URLs or logs. Use the right type per context and store each type securely (vault, env, secret manager).

Summary

Use passwords for human login with MFA; keys for SSH and automation; tokens for APIs and short-lived access. Store each type securely and do not use passwords for machines.

Prerequisites

Steps

Step 1: When to use passwords

Use for human login where keys are not practical. Enforce strong policy and MFA; do not reuse across systems.

Step 2: When to use keys

Use SSH and PGP keys for server access and automation. Protect private keys; rotate and revoke when needed.

Step 3: When to use tokens

Use API keys and OAuth/JWT for APIs and apps. Prefer short-lived, scoped tokens; rotate and revoke API keys.

Step 4: Avoid mixing

Do not use passwords in scripts; do not expose keys in URLs or logs. Store credentials in a vault or secret manager.

Verification

You can choose the right credential type for human login, SSH, and API access and explain where each is stored.

Troubleshooting

Password in script — Replace with a key or token and restrict scope. Long-lived API key — Rotate to a new key and revoke the old one; use short-lived tokens where supported.

Next steps

Continue to