> I mean isn't security by obscurity generally accepted as bad practice?
That's an oversimplification. Obscurity is generally a really thin layer of security - not nothing, but if people think of it as "real" security then they neglect other things and just have the inadequate layer that is obscurity. By way of analogy - if you add a 3-character password to a system, it is strictly more secure than without that password. But if you think "oh, I have a password, so I'm safe and don't need anything else" then you will get owned the first time someone takes an actual run at your security. A system that depends on obscurity is probably doomed to failure, but that doesn't make its value zero, just low.
That's an oversimplification. Obscurity is generally a really thin layer of security - not nothing, but if people think of it as "real" security then they neglect other things and just have the inadequate layer that is obscurity. By way of analogy - if you add a 3-character password to a system, it is strictly more secure than without that password. But if you think "oh, I have a password, so I'm safe and don't need anything else" then you will get owned the first time someone takes an actual run at your security. A system that depends on obscurity is probably doomed to failure, but that doesn't make its value zero, just low.