That made me smile. One of my favorite sayings is that “all security is security through obscurity”, because all it really takes is a lead pipe and some duct tape to “de-obscure” the password. But, that said, I’ve always considered such “rubberhose cryptanalysis” to be a form of social engineering. Actually, that’s a great doublespeak term for it. “Extreme Adversarial Social Engineering”. It even has a good acronym: EASE.
When you say “the threat model which you skipped”, what do you mean?
That made me smile. One of my favorite sayings is that “all security is security through obscurity”, because all it really takes is a lead pipe and some duct tape to “de-obscure” the password. But, that said, I’ve always considered such “rubberhose cryptanalysis” to be a form of social engineering. Actually, that’s a great doublespeak term for it. “Extreme Adversarial Social Engineering”. It even has a good acronym: EASE.
When you say “the threat model which you skipped”, what do you mean?
Which is why many contemporary secure systems do not rely on permanent passwords (e.g. OTR messaging).
The usual: who is your adversary and against which threats are you trying to protect yourself?