Skip to content

re: Thoughts on "Security Through Obscurity" VIEW POST

re: You seem to be missing the point. "Security through obscurity" is the idea that it's harder for someone to find vulnerabilities in your system, if ...

I think both are still places on a long scale.
For example, the /admin path of a website could be changed to /do-stuff and passwords not required. Clearly just 'obscure' and nothing more.
How about changing it to /sgs95grb3su19sj? Is that obscure or secret?
We can do the same with passwords?
In our fictitious we re-enable the 'admin' password, but set it to 'admin'. Is this 'obscure' or 'secret'?
How about if we change it to the name of the daughter if the principle admin? More obscure? It can certainly be discovered, so not really secret.
How about a longer string that can't be phished or guessed? If the site doesn't block accounts for multiple wrong passwords, it can still be 'guessed' given some time - like 'obscure' features can.
The point is, some 'obscure' things just take way longer to guess than others. We draw a line where something changes from 'obscure' to 'secret' but as we have seen in history, that line can vary hugely over time and what is 'secret' today can be simply 'obscure' tomorrow.

code of conduct - report abuse