Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is security through obscurity a bad idea? [closed]

I recently came across a system where all of the DB connections were managed by routines obscured in various ways, including base 64 encoding, md5sums and various other techniques.

Why is security through obscurity a bad idea?

like image 876
Jrgns Avatar asked Feb 10 '09 20:02

Jrgns


People also ask

Why security through obscurity is bad?

Security through obscurity is bad because it substitutes real security for secrecy in such a way that if someone learns the trick they compromise the system. Obscurity can be extremely valuable when added to actual security as an additional way to lower the chances of a successful attack, e.g., camouflage, OPSEC, etc.

Is security through obscurity good?

Security by obscurity alone is discouraged and not recommended by standards bodies. The National Institute of Standards and Technology (NIST) in the United States sometimes recommends against this practice: "System security should not depend on the secrecy of the implementation or its components."

What is an example of the phrase security through obscurity Why is security through obscurity not a good practice?

An example of security through obscurity might involve closely guarding the written specifications for security functions and preventing all but the most trusted people from seeing it. Obscuring security leads to a false sense of security, which is often more dangerous than not addressing security at all.

What is security through obscurity?

Security through obscurity (STO) is reliance upon secrecy in software development to minimize the chance that weaknesses may be detected and targeted.


1 Answers

Security through obscurity would be burying your money under a tree. The only thing that makes it safe is no one knows it's there. Real security is putting it behind a lock or combination, say in a safe. You can put the safe on the street corner because what makes it secure is that no one can get inside it but you.

As mentioned by @ThomasPadron-McCarty below in a comment below:

If someone discovers the password, you can just change the password, which is easy. If someone finds the location, you need to dig up the money and move it somewhere else, which is much more work. And if you use security by obscurity in a program, you would have to rewrite the program.

like image 105
Rex M Avatar answered Oct 13 '22 04:10

Rex M