Comment by mcnichol

I'm not arguing the complexity of hacking a password, I'm familiar. So instead of responding with rainbow tables or how knowing the schema informs you the location of salts for the salted hash (which is the actual proper way), I'll just point to an example.

Look at how RSA is implemented. Look at the intentional obscurity of S tables and lack of detailed information.

There is a reason information is withheld. DB schema is just that, information that increases increases the threat.

And running a DB on someone's infrastructure doesn't necessarily give you access. You need to read up on AuthN and AuthZ.

If you listed an open source example I'd take the time to poke holes in your strawman argument but you honestly just need to take a step back and think about what you are really arguing.

Do you really think not having the schema is as inconsequential as having the schema when attacking something? I mean what is the first step most folks do in reverse engineering? I honestly can't believe I'm having to say this.