Yes, SSH keys is the recommended option. The post has been updated there to state that.

thanks,

When you're traveling or just for convenience's sake. You might not always have your key on hand, or may use devices/apps or computers that make it difficult to load one.

If your password is strong enough and isn't reused, most attacks are prevented. You could in theory eyeball a really long complex password but it would be quite difficult. Keys are mostly useful for multiple-device identity management and passwordless login using an agent.

>Using keys is ever-so-slightly less convenient at setup

And it's easier once it's setup. I don't have punch in a password any time I need to make a server change.

More importantly, it is far easier to revoke on a person-to-person basis even on the same account.

If you use password auth and some accounts have a password that is shared knowledge (root, anyone?), you have to change all passwords once one persons permissions change.

In practice, revoking public keys is a problem for many companies already as I found out when my private key was stolen a while ago. (on an encrypted drive, but paranoia is paranoia)

Don't forget that makes you more vulnerable to malware on the client, which now has easy access to your keys, and your known_hosts file (which gives the attacker a convenient list of servers to attempt to log into using those keys.)

Yes, this is why having a passphrase on your key is recommended. The idea is not to use keys instead of passwords, but in addition to: the password protects the private key locally, which is used to authenticate to the server. However that seems to be uncommon practice.

Still, any password that isn't very weak will do just fine, especially if root can't log in directly.