Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Isn't a password a form of security through obscurity?

I know that security through obscurity is frowned upon and considered not really secure, but isn't a password security through obscurity? It's only secure so long as no one finds it.

Is it just a matter of the level of obscurity? (i.e. a good password well salted and hashed is impractical to break)

Note I'm not asking about the process of saving passwords (Assume they are properly hashed and salted). I'm asking about the whole idea using a password, which is a piece of information, which if known could compromise a person's account.

Or am I misunderstanding what security through obscurity means? I guess that's what I assume it to mean, that is there exists some information which if known would compromise a system (in this case, the system being defined as whatever the password is meant to protect)

like image 216
Davy8 Avatar asked Dec 20 '10 01:12

Davy8


People also ask

What is an example of security through obscurity?

An example of security by obscurity is when someone has an expensive house outfitted with the latest lock system, but the way you open the lock is simply by jiggling the handle. So if you don't know to do that, it's pretty secure, but once you know it's trivial to bypass.

What is security through obscurity?

Security through obscurity (STO) is reliance upon secrecy in software development to minimize the chance that weaknesses may be detected and targeted.

What is avoid security by obscurity?

Security by obscurity, also known as security through obscurity, is the belief that a software system is secure as long as internal details are kept hidden and vulnerabilities are not known or are difficult to detect.

What is password and security?

Password security and password protection are practices for establishing and verifying identity and restricting access to devices, files, and accounts. They help ensure that only those who can provide a correct password in response to a prompt are given access.

Are passwords secure by obscurity?

The short answer is no. Passwords by themselves are not security by obscurity. A password can be thought of as analogous to the key in cryptography. If you have the key you can decode the message. If you do not have the key you can not.

What is security through obscure?

Security through obscurity (STO) is a controversial principle in security engineering based on the premise that secrecy of an element or function can ensure security of the whole. One of the first lessons any aspiring security professional or system administrator learns is: 'security through obscurity is bad'.

Can obscure replace good security?

However, it’s quite common to see people use obscurity as a replacement for good security. Thinking that a weak password is okay because no one knows where to go to log in anyway is dangerous. There are three basic types of security: security by design, security by openness, and security by obscurity.

Should I use obscurity for source code?

Obscurity should never be used as an alternative to proper security techniques. Obscurity as a means of hiding your source code to prevent copying is another subject. I'm rather split on that topic; I can understand why you might wish to do that, personally I've never been in a situation where it would be wanted.


1 Answers

You are right in that a password is only secure if it is obscure. But the "obsure" part of "security through obscurity" refers to obscurity of the system. With passwords, the system is completely open -- you know the exact method that is used to unlock it, but the key, which is not part of the system, is the unknown.

If we were to generalize, then yes, all security is by means of obscurity. However, the phrase "security through obscurity" does not refer to this.

like image 191
David Tang Avatar answered Sep 22 '22 19:09

David Tang