I want to tackle a misunderstanding I have seen from some posters in this thread about passwords/secrets/keys. Using a password should not be considered a form of "obscure defense".
If you are using a password there is a mathematical definition of how hard it is to crack, the number of bits of entropy contained in the password. If you use a password manager like KeePass it will tell you the number of bits in you password.
If it takes me 2^100 guesses for a 50% chance to discover your password then that is not obscurity, that is a valid defense mechanism. That the password itself is obscure is not a reason to call the strategy obscure.
Passwords and keys are used to create an artifact that will unlock access to a whole bunch of information. Instead of protecting each piece of information individually, we can now focus our efforts on protecting the password instead.
With a password we have managed to make the process of protecting information simpler, less obscure.
Sorry to discuss something a bit off-topic from the article, but I figured I had seen the "passwords are obscure" argument so many times here and that this could be a valuable opportunity to teach something about security.
If you are using a password there is a mathematical definition of how hard it is to crack, the number of bits of entropy contained in the password. If you use a password manager like KeePass it will tell you the number of bits in you password.
If it takes me 2^100 guesses for a 50% chance to discover your password then that is not obscurity, that is a valid defense mechanism. That the password itself is obscure is not a reason to call the strategy obscure.
Passwords and keys are used to create an artifact that will unlock access to a whole bunch of information. Instead of protecting each piece of information individually, we can now focus our efforts on protecting the password instead.
With a password we have managed to make the process of protecting information simpler, less obscure.
Sorry to discuss something a bit off-topic from the article, but I figured I had seen the "passwords are obscure" argument so many times here and that this could be a valuable opportunity to teach something about security.