The Secure Shell protocol contains numerous features to avoid some of the vulnerabilities with password authentication. Passwords are sent as encrypted over the network, thus making it impossible to obtain the password by capturing network traffic. Also, passwords are never stored on the client. Empty passwords are not permitted by default (and they are strongly discouraged).

On the server side, the Secure Shell protocol relies on the operating system to provide confidentiality of the user passwords. SSH Tectia Server also supports limiting the number of password retries, thereby making brute-force and dictionary attacks difficult.

However, Secure Shell does not protect against weak passwords. If a malicious user is able to guess or obtain the password of a legitimate user, the malicious user can authenticate and pose as the legitimate user. Weak passwords can also be discovered by dictionary attacks from a remote machine.

Password authentication can also be used as a generic authentication method. This is the case with SSH Tectia Connector when all users use the same credentials. In this case only data encryption and data integrity services are provided. The responsibility for user authentication is left to the tunneled third-party application.

The following lists sum up the advantages and disadvantages of using password authentication with SSH Tectia.