Isn't a password a form of security through obscurity?

Question

I know that security through obscurity is frowned upon and considered not really secure, but isn't a password security through obscurity? It's only secure so long as no one finds it.

Is it just a matter of the level of obscurity? (i.e. a good password well salted and hashed is impractical to break)

Note I'm not asking about the process of saving passwords (Assume they are properly hashed and salted). I'm asking about the whole idea using a password, which is a piece of information, which if known could compromise a person's account.

Or am I misunderstanding what security through obscurity means? I guess that's what I assume it to mean, that is there exists some information which if known would compromise a system (in this case, the system being defined as whatever the password is meant to protect)

That's a pretty far stretch of what security through obscurity means. — Falmarri, Dec 20 '10 at 01:18
@Falmarri I guess that's actually my question, other than the degree of obscurity, what separates a password from other forms of security through obscurity? How is the line drawn between whether a form of security is or not is through obscurity? — Davy8, Dec 20 '10 at 01:21
Could the close voters explain how this is not a real question? I'm sincerely interested in the answer and I'm not just trying to troll. — Davy8, Dec 20 '10 at 01:23

score 28 · Accepted Answer · answered Dec 20 '10 at 01:31

28

You are right in that a password is only secure if it is obscure. But the "obsure" part of "security through obscurity" refers to obscurity of the system. With passwords, the system is completely open -- you know the exact method that is used to unlock it, but the key, which is not part of the system, is the unknown.

If we were to generalize, then yes, all security is by means of obscurity. However, the phrase "security through obscurity" does not refer to this.

answered Dec 20 '10 at 01:31

David Tang

92,262
30
167
149

2

In fact, the system needs to be completely open, so that you can proof that the only part that needs to be kept "obscure" is the password. So that you can proof that the only way to "break in", is to find out the password. – Thilo Dec 20 '10 at 01:37
@box9: You're kind of correct, but, you can declare anything "the key", so, for example, in port knocking the strategy of knocks is the key. Some people would call this "security by obscurity"; so what is your position then? That it is, or isn't? – Noon Silk Dec 20 '10 at 01:39
2

I see, but how does one define a "system"? Say we're talking about the password for the root user of a computer? If that were to be discovered wouldn't that compromise the whole "system"? – Davy8 Dec 20 '10 at 01:42
@Noon: If you are trying to hide an unpatched service by hiding it on a random port, yes, that most certainly is security through obscurity. However, that has nothing to do with whether or not Passwords are a form of security through obscurity. – Stefan H Dec 20 '10 at 01:42
@Stefan H: And my point is proven :) Infact, you can model the port knocking as a password. So, by your definition and box9's, it is not. Thus, you are at a contradiction, and you must accept your original assumption as false :) – Noon Silk Dec 20 '10 at 01:43
@Noon: I'll let Anon take it from here. He has a very good answer to this. http://stackoverflow.com/questions/4486171/isnt-a-password-a-form-of-security-through-obscurity/4486284#4486284 – Stefan H Dec 20 '10 at 01:47
@Stefan: Anon. generally has very good answers, but his response this time is not one of them. – Noon Silk Dec 20 '10 at 01:48
@Noon: Your example of port knocking is an example of an *insecure system* that allows the "password" (such as it is) to be leaked easily. Whether or not keeping the "password" secret in that case is technically "security through obscurity" is pretty much irrelevant. – Anon. Dec 20 '10 at 01:55
@Anon: The password can be leaked by watching the typing. The difference is that the knocking takes place over the Internet, the typing takes place over the keyboard. Technically correct and also *usefully* correct, to dispell the notion that people can dismiss things with "Security by obscurity" without actually understanding what they are saying. Virtually no-one here does. – Noon Silk Dec 20 '10 at 01:57
@Noon, @Davy8 I think you're both correct to a degree. As I mentioned in my answer, it really depends on what level of abstraction/generalisation you are considering. However, there is a point, depending on your purpose, where too high an abstraction makes the point moot. It is possible to consider all security as obscurity, since if we are talking about ABSOLUTE security, either everyone has access, or no one does (information asymmetry must exist to allow access to select users). – David Tang Dec 20 '10 at 02:35
@box9: I agree with you, but I think it's intersting to note how the popularisation of the term has lead to some completely incorrect claims in this thread (not by you). It, to me, shows that "security by obscurity" is not really a correct 'abstraction' for non-experts to use. They should strictly be forced to understand the detail. – Noon Silk Dec 20 '10 at 02:37
1

@Noon, @Davy8, continued... If we take Noon's example and consider a password being stolen by watching someone type: if and only if this is a real, practical concern for the system in question, then you would have to expand the definition of "system" to include the process of typing. In this case, typing can be considered as another communication channel just as the internet is, and a password would be security through obscurity, while a physical lock to the room would not. However, my point is that a practical baseline needs to be established for discussion. – David Tang Dec 20 '10 at 02:43
@box9: I can agree to that. I am just trying to encourage the idea that *everything* be analyised and certain ideas not be discarded without strict and proper analysis. (As the OP is, from my view, trying to do). Defense in depth is very important (I'm sure you will agree). – Noon Silk Dec 20 '10 at 02:47
@Noon, yes, that's fair enough. I certainly do encourage the OP to continue to probe, while remembering that security ultimately must be practical. – David Tang Dec 20 '10 at 03:00

score 20 · Answer 2 · edited Aug 30 '11 at 21:11

Maybe it's easier to understand what Security-by-Obscurity is about, by looking at something that is in some sense the opposite: Auguste Kerckhoffs's Second Principle (now simply known usually as Kerckhoffs's Principle), formulated in 1883 in two articles on La Cryptographie Militaire:

[The cipher] must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience.

Claude Shannon reformulated it as:

The enemy knows the system.

And Eric Raymond as:

Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy.

An alternative formulation of that principle is that

The security of the system must depend only of the secrecy of the key, not the secrecy of the system.

So, we can simply define Security-by-Obscurity to be any system that does not follow that principle, and thus we cleverly out-defined the password :-)

There are two basic reasons why this Principle makes sense:

Keys tend to be much smaller than systems, therefore they are easier to protect.
Compromising the secrecy of a key only compromises the secrecy of all communications protected by that key, compromising the secrecy of the system compromises all communications.

Note that it doesn't say anywhere that you can't keep your system secret. It just says you shouldn't depend on it. You may use Security-by-Obscurity as an additional line of defense, you just shouldn't assume that it actually works.

In general, however, cryptography is hard, and cryptographic systems are complex, therefore you pretty much need to publish it, to get as many eyeballs on it as possible. There are only very few organizations on this planet that actually have the necessary smart people to design cryptographic systems in secrecy: in the past, when mathematicians were patriots and governments were rich, those were the NSA and the KGB, right now it's IBM and a couple of years from now it's gonna be the Chinese Secret Service and international crime syndicates.

+1 as this answers a lot of the questions in the comments eg Davy8 — Rory Alsop, Dec 20 '10 at 21:26

score 5 · Answer 3 · answered Dec 20 '10 at 01:35

5

No. Let's look a definition of security through obscurity from wikipedia

a pejorative referring to a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security.

The phrase refers to the code itself, or the design of a system. Passwords on the other hand are something a user has to identify themselves with. It's a type of authentication token, not a code implementation.

answered Dec 20 '10 at 01:35

blowdart

55,577
12
114
149

So in other words passwords lie outside of the definition because it is not something that the designer of the system has control over? – Davy8 Dec 20 '10 at 02:03
@Davy8: That's not correct either, because the designer does indeed have direct control over what consitutes as password. – Noon Silk Dec 20 '10 at 02:07

Stefan H · Answer 4 · 2010-12-20T02:14:49.663

Passwords are a form of authentication. They are meant to identify that you are interacting with who you are supposed to interact with.

Here is a nice model of the different aspects of security (I had to memorize this in my security course)

http://en.wikipedia.org/wiki/File:Mccumber.jpg

Passwords are an aspect of the confidentiality aspect of security.

While probably the weaker of the forms of authentication (something you know, something you have, something you are), I would still say that it does not constitute security through obscurity. With a password, you are not trying to mask a facet of the system to try to keep it hidden.

Edit:

If you follow the reasoning that passwords are also a means of "security Throguh Obscurity" to it's logical end then All security, including things like encryption, is security through obscurity. Then that means, the only system that is not secured through obscurity is one that is surrounded in concrete and sunk to the ocean floor, no one ever being allowed to use it. This reasoning, however, is not conducive to getting anything done. Therefore we use Security Through obscurity to describe practices that use not understanding the implementation of a system as a means of security. With passwords, the implementation is known.

While I don't disagree with your statement, I'm not sure how it answers the question. — Davy8, Dec 20 '10 at 01:22
Sorry, i added a little more to support my belief that Passwords are not security through obscurity. Take a look at the wiki definition for it, and I think it's obvious that a password is not security through obscurity: http://en.wikipedia.org/wiki/Security_through_obscurity — Stefan H, Dec 20 '10 at 01:28

score 1 · Answer 5 · answered Dec 20 '10 at 01:42

1

I know that security through obscurity is frowned upon and considered not really secure, but isn't a password security through obscurity? It's only secure so long as no one finds it.

In order to answer this question, we really need to consider why "security through obscurity" is considered to be flawed.

The big reason that security through obscurity is flawed is that it's actually really easy to reverse-engineer a system based on its interactions with the outside world. If your computer system is sitting somewhere, happily authenticating users, I can just watch what packets it sends, watching for patterns, and figure out how it works. And then it's straightforward to attack it.

In contrast, if you're using a proper open cryptographic protocol, no amount of wire-sniffing will let me steal the password.

That's basically why obscuring a system is flawed, but obscuring key material (assuming a secure system) is not. Security through obscurity will never in and of itself secure a flawed system, and the only way to know your system isn't flawed is to have it vetted publicly.

answered Dec 20 '10 at 01:42

Anon.

58,739
8
81
86

1

@Anon: You're claim seems to be that any system is not using "security by obscurity" if you can sniff what it does. It follows then that a system can transition from one that "is" using it, to one that "isn't". What is this transation? The finding of a flaw? So, SSL is security by obscurity now? http://www.schneier.com/blog/archives/2010/03/side-channel_at.html – Noon Silk Dec 20 '10 at 01:52
@Noon: Harping on about whether I claim X to be "security through obscurity" or not shows that you've completely missed the point I was trying to make. – Anon. Dec 20 '10 at 02:03
@Anon: No, it addresses it directly, by showing that your basis for deciding what is or is not "it" is flawed. – Noon Silk Dec 20 '10 at 02:05
@Anon would this be accurate paraphrase of what you're saying: "A system can be said to use security through obscurity if it can be compromised by obtaining certain information through technical means"? (i.e. not counting social engineering, getting you drunk and accidentally revealing your password, etc) – Davy8 Dec 20 '10 at 02:11
@noon: If you follow your reasoning to it's logical end then All security, including things like encryption, is security through obscurity. Then that means, the only system that is not secured through obscurity is one that is surrounded in concrete and sunk to the ocean floor, no one ever being allowed to use it. This reasoning, however, is not conducive to getting anything done. Therefore we use Security Through obscurity to describe practices that use not understanding the implementation of a system as a means of security. With passwords, the implementation is known. – Stefan H Dec 20 '10 at 02:11
@Stefan that is exactly the corollary to my question, "isn't all security by means of obscurity?" Isn't a password only secure only because there isn't a way to read people's minds? Is the line between whether something is security through obscurity only a matter of how obscure the information is? – Davy8 Dec 20 '10 at 02:20
The difference is knowing the implementation. I can know exactly how you are using passwords, but still not know what your password is. With the example of port scanning. A person might try to secure their system by changing a service away from the default port. They would be trying to bank on the fact that I do not know the implementation. – Stefan H Dec 20 '10 at 02:23
@Stefan: You're getting closer! But still you're not getting it - I am saying that the phrase "Security by obscurity" is *not* conducive to getting things done. It is not useful. It is harmful. It's promoting a significant lack of understanding (i.e. this thread). @Davy8: Yes, you're correct. – Noon Silk Dec 20 '10 at 02:27
2

@Noon: I can agree that mindlessly calling out stuff as "security through obscurity" is flawed. In fact, that's one of the points I made in my answer (in which I noted that you need to understand *why* security through obscurity is considered flawed before making use of the term). However, I contend that the term *is* useful to describe a large (and common) flaw that arises when people who don't understand cryptography try and roll their own system. – Anon. Dec 20 '10 at 02:41

score 0 · Answer 6 · answered Dec 20 '10 at 01:29

No, they are not.

Security through obscurity means that the process that provides the access protection is only secure because its exact details are not publicly available.

Publicly available here means that all the details of the process are known to everyone, except, of course, a randomized portion that constitutes the key. Note that the range from which keys can be chosen is still known to everyone.

The effect of this is that it can be proven that the only part that needs to be secret is the password itself, and not other parts of the process. Or conversely, that the only way to gain access to the system is by somehow getting at the key.

In a system that relies on the obscurity of its details, you cannot have such an assurance. It might well be that anyone who finds out what algorithm you are using can find a back door into it (i.e. a way to access the system without the password).

Guy Sirton · Answer 7 · 2010-12-20T02:31:40.877

0

The short answer is no. Passwords by themselves are not security by obscurity.

A password can be thought of as analogous to the key in cryptography. If you have the key you can decode the message. If you do not have the key you can not. Similarly, if you have the right password you can authenticate. If you do not, you can not.

The obscurity part in security by obscurity refers to how the scheme is implemented. For example, if passwords were stored somewhere in the clear and their precise location was kept a secret that would be security by obscurity. Let's say I'm designing the password system for a new OS and I put the password file in /etc/guy/magical_location and name it "cooking.txt" where anyone could access it and read all the passwords if they knew where it was. Someone will eventually figure out (e.g. by reverse engineering) that the passwords are there and then all the OS installations in the world will be broken because I relied on obscurity for security.

Another example is if the passwords are stored where everyone can access them but encrypted with a "secret" key. Anyone who has access to the key could get at the passwords. That would also be security by obscurity.

The "obscurity" refers to some part of the algorithm or scheme that is kept secret where if it was public knowledge the scheme could be compromised. It does not refer to needing a key or a password.

edited Dec 20 '10 at 02:31

answered Dec 20 '10 at 01:32

Guy Sirton

8,331
2
26
36

1

so in regards to "For example, if passwords were stored somewhere in the clear and their precise location was kept a secret that would be security by obscurity." Could you explain what's different between whether I guess your password or whether I guess the location of your password? Isn't the different just a matter of how hard it would be to brute force? – Davy8 Dec 20 '10 at 01:36
It is different because only *I* know my password whereas the location of the password file can presumably be known or found out by others, it is part of the system/scheme not part of the unique data I need to authenticate myself or decrypt my files. If the rest of the system is secure no one can find my password unless I tell them. – Guy Sirton Dec 20 '10 at 01:39
"whereas the location of the password file can presumably be known or found out by others" How would it be known or found out by others? Suppose the physical machine is secure however let's say the file where the password is stored is accessible is on the web, but there are exactly 0 links to it anywhere and directory listings are not allowed. That obviously sounds like security through obscurity but how is that any easier to find than a password? – Davy8 Dec 20 '10 at 01:53
If your system relies on the location of the secret password file then this is security by obscurity. My example was of a situation where other people could access the file and the only thing that stands between them and your password is the secret location of the file. If there is no way for anyone to access the password file even if they know all the details about the system then the system is secure from that perspective. I added some clarification in the answer. – Guy Sirton Dec 20 '10 at 02:27

score -2 · Answer 8 · answered Dec 20 '10 at 01:27

-2

Yes, you are correct and it is a very important realisation you are having.

Too many people say "security through obscurity" without having any idea of what they mean. You are correct in all that matters is the level of "complexity" of decoding any given implementation. Usernames and passwords are just a complex realisation of it, as they greatly increase the amount of information required to gain access.

One important thing to keep in mind in any security analysis is the threat model: Who are you worried about, why, and how are you preventing them? What aren't you covering? etc. Keep up the analytical and critical thinking; it will serve you well.

answered Dec 20 '10 at 01:27

Noon Silk

54,084
6
88
105

2

Security through obscurity is about hiding facets of the system to try and keep it secure. That is not the case with a password. – Stefan H Dec 20 '10 at 01:29
@Stefan: Sorry, you've not understood the meaning. It's understandable, because it's a source of confusion, but I do suggest you try and understand what you're talking about when using terms. – Noon Silk Dec 20 '10 at 01:31
8

"Too many people say security through obscurity without having any idea of what they mean." This answer is a good example. – Thilo Dec 20 '10 at 01:31
Feel free to enlighten me then. I would say that the fact that password crypto and methods of authenticating with passwords are so open that they are anything but security through obscurity. Obscured and secret in the case of passwords are not the same thing. – Stefan H Dec 20 '10 at 01:35
@Stefan: Right, in the OPs case the only thing closed is the password. This is technically "obscure". There is so much misuse of the term "Security through obscurity", by all types, who really have no idea what it takes to make a secure system. It is typical of short terms like this; they become abused to the point of *hurting* the understanding of the main point. Hopefully this post (the OPs) is a step to fixing that mistake. – Noon Silk Dec 20 '10 at 01:37

Isn't a password a form of security through obscurity?

8 Answers8

Linked