Security by obscurity does not work, because people are only so creative up to a point. Hence, there are only handful of configurations for the attacker to try out.
This contrasts to e.g. 128-bit secure encryption, which involves trying 2^128 times to break it - which is a number with whopping 38 zeros. It takes 10^22 years to break it with trying at 1GHz rate. It is simply incomparable, and adding a few bits of security by obscure combination is simply not worth it.
Yet, so many people and organizations seem to prefer obscurity to actual security.
It really depends on the purpose. Sometimes you can hide stuff in unexpected places when there isn’t much interest for other people to find it, or if they don’t even know about it’s existence.
Also sometimes it is good enough to just delay the discovery of something for a while, because its value after a certain time diminished completely.
So, I would argue that sometimes security by obscurity can be useful. But I agree that it generally shouldn’t replace proper encryption.
Security by obscurity does not work, because people are only so creative up to a point. Hence, there are only handful of configurations for the attacker to try out.
This contrasts to e.g. 128-bit secure encryption, which involves trying 2^128 times to break it - which is a number with whopping 38 zeros. It takes 10^22 years to break it with trying at 1GHz rate. It is simply incomparable, and adding a few bits of security by obscure combination is simply not worth it.
Yet, so many people and organizations seem to prefer obscurity to actual security.
It really depends on the purpose. Sometimes you can hide stuff in unexpected places when there isn’t much interest for other people to find it, or if they don’t even know about it’s existence.
Also sometimes it is good enough to just delay the discovery of something for a while, because its value after a certain time diminished completely.
So, I would argue that sometimes security by obscurity can be useful. But I agree that it generally shouldn’t replace proper encryption.