Isn't a password a form of security through obscurity?

Question

I know that security through obscurity is frowned upon and considered not really secure, but isn\'t a password security through obscurity? It\'s only secure so long as no one f

Answer 1

I know that security through obscurity is frowned upon and considered not really secure, but isn't a password security through obscurity? It's only secure so long as no one finds it.

In order to answer this question, we really need to consider why "security through obscurity" is considered to be flawed.

The big reason that security through obscurity is flawed is that it's actually really easy to reverse-engineer a system based on its interactions with the outside world. If your computer system is sitting somewhere, happily authenticating users, I can just watch what packets it sends, watching for patterns, and figure out how it works. And then it's straightforward to attack it.

In contrast, if you're using a proper open cryptographic protocol, no amount of wire-sniffing will let me steal the password.

That's basically why obscuring a system is flawed, but obscuring key material (assuming a secure system) is not. Security through obscurity will never in and of itself secure a flawed system, and the only way to know your system isn't flawed is to have it vetted publicly.