Security by Obscurity
What is Security by Obscurity?
Security by ObscurityApproach that relies on keeping the design, implementation, or location of a system secret as the primary means of defence rather than on intrinsic strength.
Security by obscurity assumes attackers cannot succeed because they do not know how a system works, where it lives, or what algorithm it uses. Kerckhoffs's principle, formulated in 1883, rejects this: a cryptosystem must remain secure even if everything about it except the key is public. Hidden admin URLs, custom proprietary crypto, unpublished port numbers, and security-through-rebranding all fall apart against scanners, leaks, reverse engineering, and insiders. NIST and ISO guidance treats obscurity as defense in depth at best - a small additional cost for attackers but never a substitute for strong authentication, authenticated encryption, hardening, monitoring, and patching.
● Examples
- 01
Hiding the admin panel at /supersecret-admin while leaving authentication weak.
- 02
Inventing in-house "encryption" instead of using AES-GCM.
● Frequently asked questions
What is Security by Obscurity?
Approach that relies on keeping the design, implementation, or location of a system secret as the primary means of defence rather than on intrinsic strength. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Security by Obscurity mean?
Approach that relies on keeping the design, implementation, or location of a system secret as the primary means of defence rather than on intrinsic strength.
How does Security by Obscurity work?
Security by obscurity assumes attackers cannot succeed because they do not know how a system works, where it lives, or what algorithm it uses. Kerckhoffs's principle, formulated in 1883, rejects this: a cryptosystem must remain secure even if everything about it except the key is public. Hidden admin URLs, custom proprietary crypto, unpublished port numbers, and security-through-rebranding all fall apart against scanners, leaks, reverse engineering, and insiders. NIST and ISO guidance treats obscurity as defense in depth at best - a small additional cost for attackers but never a substitute for strong authentication, authenticated encryption, hardening, monitoring, and patching.
How do you defend against Security by Obscurity?
Defences for Security by Obscurity typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- compliance№ 299
Defense in Depth
Security strategy that layers independent controls so that if any single control fails, others continue to prevent, detect, or contain an attack.
- cryptography№ 249
Cryptography
The science of securing information through mathematical techniques that provide confidentiality, integrity, authenticity, and non-repudiation in the presence of adversaries.
- appsec№ 982
Secure Coding
The practice of writing source code in ways that minimize security defects, following defensive patterns, language-specific rules and recognized guidelines.
- appsec№ 1150
Threat Modeling
A structured analysis that identifies the assets, threats, vulnerabilities and mitigations of a system so security can be designed in rather than bolted on.
- identity-access№ 854
Principle of Least Privilege
A security principle that grants every user, process, or service only the minimum privileges strictly required to perform its function — no more.