I know that security through obscurity is frowned upon and considered not really secure, but isn’t a password security through obscurity? It’s only secure so long as no one finds it.
Is it just a matter of the level of obscurity? (i.e. a good password well salted and hashed is impractical to break)
Note I’m not asking about the process of saving passwords (Assume they are properly hashed and salted). I’m asking about the whole idea using a password, which is a piece of information, which if known could compromise a person’s account.
Or am I misunderstanding what security through obscurity means? I guess that’s what I assume it to mean, that is there exists some information which if known would compromise a system (in this case, the system being defined as whatever the password is meant to protect)
You are right in that a password is only secure if it is obscure. But the “obsure” part of “security through obscurity” refers to obscurity of the system. With passwords, the system is completely open — you know the exact method that is used to unlock it, but the key, which is not part of the system, is the unknown.
If we were to generalize, then yes, all security is by means of obscurity. However, the phrase “security through obscurity” does not refer to this.