Here’s an ignorant question. I see this comment all the time, that an ID and PIN is exactly the same as a longer ID, but is it actually true?
I get the logic of it, but in a practical sense doesn’t it have the potential to be different? For example, if you have to enter a correct ID, wait, and then get prompted for a password, couldn’t that potentially slow down an attacker?
Alternately, couldn’t a bunch of correct meeting ID’s followed by incorrect PINs present an opportunity to flag the ID as under attack, or give a prompt to a host that would spur inquiry, or something?
Perhaps I’m wrong about this but it seems like there are some non trivial differences between the two.
So we have to look at what "attacking a specific ID" even means.
With separate room numbers and PINs, it means you know the room number but not the PIN. Simple enough.
But in the long-id scenario, that means you have part of the ID, but not all of the ID. That's pretty unlikely to happen. Instead, situations where someone would have leaked the room number will take one of two routes: either the person leaks the longer ID, and there is no attacking necessary, or the person realizes that the secret code needs to be secret, and nothing is leaked at all. Either way, attacks on a specific conference ID no longer happen.
I get the logic of it, but in a practical sense doesn’t it have the potential to be different? For example, if you have to enter a correct ID, wait, and then get prompted for a password, couldn’t that potentially slow down an attacker?
Alternately, couldn’t a bunch of correct meeting ID’s followed by incorrect PINs present an opportunity to flag the ID as under attack, or give a prompt to a host that would spur inquiry, or something?
Perhaps I’m wrong about this but it seems like there are some non trivial differences between the two.