[AlotOfReading]

Not if their cryptography is done properly. Cryptosystems are designed to maintain their security even if the complete algorithm is known to the adversary. You'll commonly see this phrased as "don't rely on security through obscurity".

[staunton]

> don't rely on security through obscurity

Which doesn't mean you shouldn't also use obscurity. NIST recommends it [1], and the industry widely uses it. In practice "don't rely on obscurity" usually means "have enough security besides obscurity to give you a grace period to switch out the obscurity". That's for whole systems, you might get away with people knowing you use standardized primitives like AES.

[1]: https://csrc.nist.gov/news/2021/revised-guidance-for-develop...

[AlotOfReading]

Everything we know about the subject of this discussion (windows product key validation) comes from reverse engineering the relevant DLLs because none of it has been discussed publicly. I think MS is probably of a similar opinion regarding publishing unnecessary details.

[ranger_danger]

> don't rely on security through obscurity

if it's not obscure enough that it will be found, then you are correct.

but what's more secure than a password that you don't know? not knowing there is a password in the first place. if the answer is never found, how can it be insecure? I dub this schrodinger's security.