Does obfuscating a security model have a place in password security?

Question

When it comes to password security there are things that people agree on like storing salted hashes of passwords, which gives a statistical defense against a compromised model and data.

What some don't seem to agree with are what to do with the salts. There are an infinite number of techniques you can do to try to protect the salts as well, but many experts will suggest that they are just pointless obfuscation of the security model, and that over time the model will be exposed, and I find myself disagreeing with this, but I may not be understanding the other viewpoint.

What I don't understand is if your model is compromised, why should you assume a full compromise instead of a partial? If your security model is distributed across different pieces of infrastructure which aren't equally secured, a partial compromise might not even be a problem. (If you do something like, say, encrypt the salt and retrieve the encryption-key from a more highly secured environment that is less likely to be compromised)

I'm assuming that a compromise isn't always 100% here. I've never had a system hacked nor have I ever hacked so I don't have the complete picture.

Answer 1

The big difference between obfuscation and encryption is that what is obfuscated can be clarified without the need for anything beyond the obfuscated information - as long as you can figure out the type of data you are looking at, then you can find a way to clarify it.

Encryption, meanwhile, can only be decrypted with the right key/password/cracking tool. Encrypted data without those things is very secure.

Consequently obfuscation can at best slow down a determined attacker, although it might put off a less determined one. There are many easier and more maintainable things you can do around the security of your system and your servers to harden them against less determined attackers, so the cost of obfuscation in terms of additional work for you and your systems is rarely justified in my opinion.

To assume a compromise is not 100% when one occurs is a very risky endeavour as what you are actually assuming is that you are smarter and more aware of your system than your attacker. You may be right, but if you assume it and you are wrong then you are in very serious trouble indeed. You have to prove it, and given the problems with proving a negative it is safer to act as though you have been compromised completely when a compromise occurs and to design your systems so that they are as secure as possible even in the situation where a total compromise has occurred.