re: Thoughts on "Security Through Obscurity" VIEW POST

re: Can anyone here tell us what security is NOT 'security through obscurity'? Passwords, pki keys - they all rely on obscurity to a degree. It's just ...

You seem to be missing the point. "Security through obscurity" is the idea that it's harder for someone to find vulnerabilities in your system, if they don't know how your system works. So, if you change your RDP port to something non-standard, malicious actors won't necessarily know to try looking for RDP vulnerabilities on that port. That's obscurity.

Now, "obscure" does not mean the same as "secret." The big difference is that a secret can't be logically guessed (in theory). Someone can logically figure out how your system is working. And that's why security through obscurity is a unique and flawed practice.


I think both are still places on a long scale.
For example, the /admin path of a website could be changed to /do-stuff and passwords not required. Clearly just 'obscure' and nothing more.
How about changing it to /sgs95grb3su19sj? Is that obscure or secret?
We can do the same with passwords?
In our fictitious we re-enable the 'admin' password, but set it to 'admin'. Is this 'obscure' or 'secret'?
How about if we change it to the name of the daughter if the principle admin? More obscure? It can certainly be discovered, so not really secret.
How about a longer string that can't be phished or guessed? If the site doesn't block accounts for multiple wrong passwords, it can still be 'guessed' given some time - like 'obscure' features can.
The point is, some 'obscure' things just take way longer to guess than others. We draw a line where something changes from 'obscure' to 'secret' but as we have seen in history, that line can vary hugely over time and what is 'secret' today can be simply 'obscure' tomorrow.

code of conduct - report abuse