This catch phrase can be used to prove too much. All camouflage is bad? Hiding is useless? No, of course not. These things have deep, evolutionary roots, as a way of getting an edge in nature and in war.

In its original context, relying on obscurity alone as your only defense isn't recommended when there are better alternatives like real authentication and encryption. Also, hiding isn't an option for things necessarily done in public.

But it's still defense in depth when you can do it. People can just show up at your doorstep and that's a hassle or worse.

There is also the crazy ex scenario. We should probably avoid assuming everyone has the same security needs.

It is considered bad practice when used instead of an obviously better alternative. E.g. running a service on an obscure port instead of using a password. Or having a hard-coded admin password instead of forcing the user to pick one.

But when it's in addition to good measures, then it generally improves security.

It's defense is n depth.

I used both obscure ports AND strong passwords or keys.

Whether we like it or not, in practice the obscure ports stop a ton of drive by bots.

Even if you are using a keys, the obscure ports stops the bot with a 0day exploit from getting in.

> I mean isn't security by obscurity generally accepted as bad practice?

That's an oversimplification. Obscurity is generally a really thin layer of security - not nothing, but if people think of it as "real" security then they neglect other things and just have the inadequate layer that is obscurity. By way of analogy - if you add a 3-character password to a system, it is strictly more secure than without that password. But if you think "oh, I have a password, so I'm safe and don't need anything else" then you will get owned the first time someone takes an actual run at your security. A system that depends on obscurity is probably doomed to failure, but that doesn't make its value zero, just low.