You are right in that a password is only secure if it is obscure. But the “obsure” part of “security through obscurity” refers to obscurity of the system. With passwords, the system is completely open — you know the exact method that is used to unlock it, but the key, which is not part of … Read more
EDIT (2016): use Argon2, scrypt, bcrypt, or PBKDF2, in that order of preference. Use as large a slowdown factor as is feasible for your situation. Use a vetted existing implementation. Make sure you use a proper salt (although the libraries you’re using should be making sure of this for you). When you hash the passwords … Read more
Security through obscurity would be burying your money under a tree. The only thing that makes it safe is no one knows it’s there. Real security is putting it behind a lock or combination, say in a safe. You can put the safe on the street corner because what makes it secure is that no … Read more