Sometimes, you’ll need a catchy example why “security by obscurity” is such a bad idea. Here’s one: “Starring The Admin.”
The gist is that a developer of an application was too lazy to implement proper user roles. So the solution was “if the login has ‘**’ in it, I’ll grant admin rights”. That’s it. Anyone can get admin rights just by appending “**” to their login (the app will remove the “**” from the login before checking the it so no changes to the user database are necessary).
Cool, eh? And so simple!