[darkmighty]

Well, but if port knocking was a great effective security tool, everyone would be using it, which defeats the obscurity advantage and would bring it back on par with good old passwords.

It might be a decent extra tool for very delicate situations, but I find it reasonably clear that it's largely self-defeating and not to be relied upon. It can also introduce further bugs.

I can see it could have an appeal as a proper password system though (not an obscurity device), since it's really the first step in interacting with a server. With password protocols, you usually have a more complicated interaction that can open a greater surface area. It seems good practice to authenticate absolutely as soon as possible.

[ShaneWilton]

The benefit of port knocking is that it essentially gives you a channel to transmit a password over, without revealing the existence of the system that's being authenticated for. A traditional password, on the other hand, requires some sort of socket that leaks the presence of a listening server.

Even if everybody were to use port knocking, knowing that fact doesn't give you any knowledge about whether a given IP hosts zero, one, or some arbitrary number of possibly vulnerable services.

[fulafel]

One clear downside: you've now created an easy low-bandwidth way for anyone to deny you from opening connections there, since others can easily interfere with your port knocking sequence.

[pc86]

"If this was good everyone would be doing it" is... shaky logic, at best.

[CamTin]

I think the intent is an argument that basically says "if everyone were doing it, it wouldn't be good" which is less shaky (though see ShaneWilton's comment as to why this isn't so).