Right, but what GP meant to say was that obscurity is not sufficient as the ONLY layer of security. There might be some techniques that are perfectly sufficient (for example, encrypting all the user data with a password and storing a hash+salt version of the password coule be argued to be sufficient), but obscurity is not.