Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p><strong>Original Answer:</strong> Security through obscurity is something that should <strong>never</strong> be practiced.</p> <hr> <p>I'd like to expand on this, as I see some argument is still being made that a secret URL is no different than a password. I would highly disagree with that comparison. A secret URL and a password <strong>do</strong> share one similar characteristic: they are known to one or more specific person/people. That is where the similarity ends.</p> <p><strong>Strength of Passwords</strong></p> <ul> <li><p>Making a password out of a series of random words <a href="http://xkcd.com/936/" rel="noreferrer">makes the password very strong and very hard to guess or brute force</a>.</p></li> <li><p>A password has to be coupled with a user name, which also can increase security if the user name is not common.</p></li> <li><p>User name and password combinations are not statically shown on the screen, nor stored anywhere in the browser (unless you chose to have your browser "save" your login credentials).</p></li> <li><p>Passwords can be changed in the case of a breach without the need to change the entry-point into the system.</p></li> <li><p>Good password systems don't store them in plain-text on the filesystem.</p></li> </ul> <p><strong>Weakness of Secret URL</strong></p> <ul> <li><p>Unless used in "Incognito", "Private", etc. mode, the URL will be stored in your local history/cache.</p></li> <li><p>URLs are shown in the browser window and can be privy to wandering eyes.</p></li> <li><p>If the secret URL is compromised, you have to change it and notify anyone using it.</p></li> <li><p>The URL exists in plain text on the server somewhere, whether as real directory/files or as a rewrite (however, a rewrite could be down at a much higher level).</p></li> <li><p>Everything else that @Mike Clark has mentioned in <a href="https://stackoverflow.com/a/6784690/542517">his answer</a>.</p></li> </ul> <p><strong>What it really comes down to:</strong></p> <ul> <li><p>Secret URLs are only practicing security through obscurity. That's it.</p></li> <li><p>Passwords may be obscured information by definition, but the extra efforts, precautions, and safeguards taken around passwords adds a level of security on top of it all. In other words, passwords are layered and are practicing security through other means <em>in addition to</em> obscurity. This, in turn, makes them a better choice than a simple obscured URL.</p></li> </ul> <p><strong>Recommendation:</strong> Use both a "secret" URL and a <em>very strong</em> user name/password combination. Don't rely on <strong>JUST</strong> a "secret" URL.</p> <p><strong>Never</strong> practice security using obscurity as the only safeguard.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload