![security-fingerprint.jpg](https://steemitimages.com/DQmUfpFMMqCaUF87RB9qSAM59rXfMM9nnNJ8hUJBJv3xnmF/security-fingerprint.jpg)

# Security Through Obscurity .. and Why It Isn't
Lately, I have been seeing a lot of people discussing system and network administration as it relates to setting up STEEM nodes or Witness servers. Something that keeps cropping up, is how to keep the server secure from hackers or outside abuse. One of the number one things that people suggest, is to change the SSH port from the default of 22 to something else.

Today, I want to discuss the difference between **security through obscurity** and **security through secrecy**. 

## Lets' dive right in
Security through obscurity is defined as **reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system**.

Security through secrecy is defined as **reliance on the measurability of the probability a security measure can be broken.**

## Security Through Obscurity
Some examples of this practice are:
- Hiding a key under a rock near a locked door
- Changing default ports to non-default ports
- Wearing a baseball cap and sunglasses to avoid facial recognition
- Changing the color of a car to run from the police

As you can tell, some of these examples might actually work to keep a secret hidden for some time. However, relying on only one method of security is sure to fail.

## Security Through Secrecy
Some example of this practice are:
- A passphrase that uses a high amount of entropy
- A hidden code language that you created
- A combination lock on a briefcase

Again, as you can tell, some of these examples will provide a high level of security. However, they can often still be broken. The passphrase might not be complex enough, the code language not unique enough, or the combination lock can be brute forced given enough time.

Despite the fact that we realize these security mechanisms can be broken, we can often figure out exactly how much time, effort, and money would be required to perform such a feat.

![security-keywords.jpg](https://steemitimages.com/DQmXHnWTZnarxVNrjUpGpFxrbFKsjGg6Nfhdsx5J9JYr1AL/security-keywords.jpg)

## Cost Examples
With current technology, a 512-bit RSA key can be broken in around 3 hours for about $70. And the guides that are available make this very doable for the average netizen. Once you start raising the entropy, you start getting into the realm of an attack that would take hundreds, thousands, or even millions of years to complete. Despite the fact that it is eventually breakable, the cost and effort is insurmountable, therefore making the attack implausible.

A combination padlock might take only a few hours for an attacker to crack open. Usually, this level of security is enough for people traveling with a briefcase or suitcase for a short while. There is no need to have security capable of protecting the bags contents indefinitely unless it is the President's Nuclear Football.

## So I shouldn't do security through obscurity?
Wrong. You should have multiple layers of security in any situation where you need to protect something from unwanted access. Your security plan should be like an onion; having many layers. You should expect that a determined attacked will eventually break through anything you have in place. Multiple layers of security give you enough time to be able to react to their unwarranted attempts at access.

## Other Options
Other method and tips exist to increase the cost and effort required to break security measures. Things such as banning IP addresses that make too many failed login attempts, or throttling connections so brute forcers are unable to try so many logins.

## Closing Notes
Despite taking every possible security measure you can think of, someone will always be able to find a weak point in your system. There will always be a way in that you did not think to seal. With this logic in mind, you should try to implement as many mechanisms as you can including logging, alerting, backups, and firewalls. Don't rely on keeping things secret from the enemy. Worry about making it financially impossible for them to break through your known security implementation.

# The reliance of a secret remaining secret means it won't.