Isn't a password a form of security through obscurity?

Question

I know that security through obscurity is frowned upon and considered not really secure, but isn\'t a password security through obscurity? It\'s only secure so long as no one f

Answer 1

No, they are not.

Security through obscurity means that the process that provides the access protection is only secure because its exact details are not publicly available.

Publicly available here means that all the details of the process are known to everyone, except, of course, a randomized portion that constitutes the key. Note that the range from which keys can be chosen is still known to everyone.

The effect of this is that it can be proven that the only part that needs to be secret is the password itself, and not other parts of the process. Or conversely, that the only way to gain access to the system is by somehow getting at the key.

In a system that relies on the obscurity of its details, you cannot have such an assurance. It might well be that anyone who finds out what algorithm you are using can find a back door into it (i.e. a way to access the system without the password).