zlacker

From what i understand, the original context of "security through obscurity=bad" is that its really hard to keep secrets, and its hard to design secure systems, so peer review is really helpful. Thus if the security of your system relies on it being secret, you are probably in a bad place because its hard to keep something so big secret, its hard to redesign the system if it leaks, you probably had less people look at it in order to keep it secret. This is in contrast to just having a password or key secret. You can easily change a password if it gets leaked. You can keep a small password secret much easier than the design of the whole system, etc.

More generally, security is like any other field. You have to evaluate arguments based on the logic and evidence given. The main difference is that with crypto, it is much easier to shoot yourself in the foot and have catastrophic failure, since you have to be perfect and the attackers just have to be right once to totally own you. Thus the industry has standardized on a few solutions that have been checked really really well.

More generally, if you are interested, i would say read the actual papers. The papers on bcrypt, argon2 etc explain what problems they are trying to solve, usually by contrasting with previous solutions that have failed in some fashion. That doesn't mean reading the paper will explain everything or make you an expert or qualify you to roll your own crypto. Nor should you believe just because a paper author says something is a good idea that it actually is. It will however explain why slow hash function like bcrypt/argon2/scrypt were created and are better choices than the previous solutions in the domain like md5.