: How transparent is a randomly named directory or file? Possible Duplicate: Are files in a hidden directory safe? Let's pretend that I have a website and want to keep personal notes

@Carla537

I would say it's quite secure if it's a secret and you can make it a random name. What Su is talking about is maybe good for the business but it's like the difference between tactic and strategy. As long as you can keep it a secret then nobody knows. I could also brute-force a .htaccess authentification. Just stop asking everybody.

Vote Up Vote Down

@Angie530

What you're describing has a name: security through obscurity. There are arguments for and against it as a concept, but for formal/professional purposes, it "has never achieved engineering acceptance as an approach to securing a system."

Even if you disallow directory listing, if the name is guessed somehow there will still be an indication that there is a directory by that name, as opposed to an actual 404. Try it. This could fail against something as simple as a brute-force attack(aaaa, aaab, aaac, etc). So now someone's figured out the directory, and can start trying filenames with the same method. Where you say "impractical" it's really "matter of time," where the amount of time required depends on the length of your randomized naming. It would be much easier(and safer) to actually implement even simple, but actual, security measures, like htaccess authentication.

Vote Up Vote Down