On Sat, May 22, 2010 at 4:07 AM, Angus Scott-Fleming <[email protected]> wrote: >> Obscurity != Security >> >> And with that, let the soapboxing begin... > > And what is a password but "obscurity"?
A password is a "secret key". The difference between a "secret key" and "security by obscurity" is that you can change a key easily and quickly, without changing the architecture. Thus, unwanted disclosure of a secret key does not invalidate the security design; you simply change the key. You can even do this preemptively. In contrast, once a "security by obscurity" vulnerability is disclosed, you must change the security design. That could mean anything from changing configuration options to installing new software to buying all new equipment. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
