Skip to content

re: Thoughts on "Security Through Obscurity" VIEW POST


You can add obscurity to your system, but please do not call it security. There can be advantages to the scenarios you suggest, but the security they add is just an illusion.

To go with your analogy, I would says that "security by obscurity" in bank is more like having various sings on the walls indicating that the vault is in a different location than where it really is. It makes it difficult for legitimate employees to do their job, but it doesn't deter determined attackers.

If, as a bank, you were to keep your vault in the middle of the customer area, it becomes a lot easier to notice when someone's been trying to pick the lock for half an hour. It may even discourage the casual criminal, knowing their deeds will be seen by all.

With any security measure, you have to weigh the security it adds, and non-security benefits, to the hassle it causes to legitimate users, and to the lengths people will go through to make legitimate use bearable. For example, if you require passwords to be at least 20 characters with at least 4 digits, 3 symbols, 3 uppercase, 1 emoji and not two consecutive digits, you can bet someone will write that password down on a piece of paper, and then your system is as secure as that piece of paper.

code of conduct - report abuse