A security anti-pattern in which secure information is "protected" by making it "hard to find" in the mistaken belief that it is then secure. It is the approximate equivalent of hiding the front door key under the mat.
Questions tagged [security-by-obscurity]
35 questions
78
votes
14 answers
Why is security through obscurity a bad idea?
I recently came across a system where all of the DB connections were managed by routines obscured in various ways, including base 64 encoding, md5sums and various other techniques.
Why is security through obscurity a bad idea?
Jrgns
- 24,699
- 18
- 71
- 77
62
votes
14 answers
Encrypting/Hashing plain text passwords in database
I've inherited a web app that I've just discovered stores over 300,000 usernames/passwords in plain text in a SQL Server database. I realize that this is a Very Bad Thing™.
Knowing that I'll have to update the login and password update processes to…
Jonathan S.
- 5,837
- 8
- 44
- 63
32
votes
8 answers
Isn't a password a form of security through obscurity?
I know that security through obscurity is frowned upon and considered not really secure, but isn't a password security through obscurity? It's only secure so long as no one finds it.
Is it just a matter of the level of obscurity? (i.e. a good…
Davy8
- 30,868
- 25
- 115
- 173
19
votes
12 answers
Is using a GUID security though obscurity?
If you use a GUID as a password for a publicly facing application as a means to gain access to a service, is this security through obscurity?
I think the obvious answer is yes, but the level of security seems very high to me since the chances of…
Blankman
5
votes
3 answers
How to hide literals in code
What are the main existing approaches to hide the value of literals in code, so that they are not easily traced with just an hexdumper or a decompiler?
For example, instead of coding this:
static final int MY_VALUE = 100;
We could have:
…
Mister Smith
- 27,417
- 21
- 110
- 193
4
votes
2 answers
Obfuscation in .NET vs. Delphi
I have old Delphi application. This app takes session key from server, do some stuff with secret using this key like hashing etc. and post back cipher to the server. Server knows how to retrieve data from this cipher. So simply it's security through…
prostynick
- 6,129
- 4
- 37
- 61
4
votes
5 answers
Should i obscure database primary keys (id's) in application front end
I'm working on an application which allows a moderator to edit information of user.
So, at the moment, i have URL's like
http://xxx.xxx/user/1/edit
http://xxx.xxx/user/2/edit
I'm a bit worried here, as i'm directly exposing the users table primary…
Pruthvi Raj Nadimpalli
- 1,335
- 1
- 15
- 30
3
votes
1 answer
How to monitor user action on .NET web browser control without obfuscation?
I have embedded web browser control in WinForms app. The user makes some actions on site that doesn't belong to me. At the end (eg. on last page) I need to send confirmation to my server (eg. via web service), that user really did what he was…
Aly
- 31
- 1
3
votes
2 answers
Obscure and encode a URL parameter
I want to encrypt a URL variable so that the user can't see the information when it is passed. I've found several scripts online but none of them work. Most seem to lean toward using base-64. Could someone help me write a short script that would…
sehummel
- 5,476
- 24
- 90
- 137
3
votes
1 answer
Secure Connection to LDAP Server
I am using a hash to encrypt and decrypt my passwords which I am sending to a cass construct. Exampled below:
public static function HashPassword ($Password){
$salt = self::$Salt;
return trim
…
Daryl Gill
- 5,464
- 9
- 36
- 69
3
votes
2 answers
How to obscure hard coded password in code?
I would like to obscure a password in my VB6 code, such that it cannot be revealed even via decompilation.
Is this possible?
CJ7
- 22,579
- 65
- 193
- 321
2
votes
5 answers
Is it possible to have an open source implementation of DRM software?
I am curious to know if anyone has figured out a way to create the server portion of DRM in an open source manner while allowing for DRM clients to be closed. I understand that if the client were open source, it would be easy to remove the DRM…
McGovernTheory
- 6,556
- 4
- 41
- 75
2
votes
2 answers
Using @ in a C or C++ application
I came to this obscure thing ... I would like to know if there are any possibilities for the @ sign to appear in the source of a valid C/C++ application, beside of the following situations:
a const char* value such as const char* addr =…
Ferenc Deak
- 34,348
- 17
- 99
- 167
1
vote
6 answers
The best approach to scramble CSS definitions to a human-unreadable state throughout an ASP.NET application
I'm not sure if it will bring anything beyond saving on traffic through the removal of long-worded names, but I would definitely want to hide my system of namings, declarations and their organization.
The thing is that manual Find&Replace is going…
User
- 30,403
- 22
- 79
- 107
1
vote
6 answers
Masking an external URL
I need to be able to open up an external URL in my website with out revealing it to my users (both in the browser and in the source). I do not want them to be able to copy the URL and edit the query string to their liking. Is there a way to open…
jckeyes
- 620
- 1
- 7
- 20