If you like it you can put the lazyness of attackers in your threat model.
Most attackers are just systems that are scanning parts of the internet for the low hanging fruit. They want easy targets, they don't want to spend time on your systems, and they like using their usual tools that work for everyone else. They aren't going to put in the effort to work out your slightly different hashing method and make a GPU based cracker for it. They aren't going to employ a giant network to bypass fail2ban. They arent looking for nonstandard ports. Etc, etc.
Yes, you can hypothetically have an attacker that works around all your obfuscation, but it simply requires much more effort. By employing these kind of techniques, you beat the script kiddies and the automated systems, which in my experience is 99% of attackers.
> They aren't going to put in the effort to work out your slightly different hashing method and make a GPU based cracker for it.
If you have a “slightly different hashing method” – especially one for which a GPU-based cracker would be useful – you’re doing it wrong. Argon, scrypt, bcrypt: all much more valuable.
And that's how I know you're not trustworthy in security. I design scripts to look like humans, and you're none the wiser because you think it's not possible.
Good job securing ANY of your systems against me. I've been at this for over 30 years.
Yes I understand an experienced pentester will have a different approach, YOU are at it for 30 years, you're not bulk-scanning the internet on port 22, and you're not a script kiddie trying out hydra for the first time.
> Good job securing ANY of your systems against me.
You completely missed the point of my post. To quote another post;
> In meatspace there's the advice of "don't leave valuables in your car in plain sight," that's uncontroversial but its also security through obscurity, covering up your iPad when you leave it in the car doesn't mean you don't lock your door.
Most attackers are just systems that are scanning parts of the internet for the low hanging fruit. They want easy targets, they don't want to spend time on your systems, and they like using their usual tools that work for everyone else. They aren't going to put in the effort to work out your slightly different hashing method and make a GPU based cracker for it. They aren't going to employ a giant network to bypass fail2ban. They arent looking for nonstandard ports. Etc, etc.
Yes, you can hypothetically have an attacker that works around all your obfuscation, but it simply requires much more effort. By employing these kind of techniques, you beat the script kiddies and the automated systems, which in my experience is 99% of attackers.