[Dylan16807]

What is larger than what?

With the most straightforward way for "meeting id with a password" and "longer meeting id" to be the same, both methods provide the exact same expansion in search space compared to the previous implementation, and they have the exact same search space as each other.

(That method being: concatenate shortid and password to get longid)

[CPLX]

Here’s an ignorant question. I see this comment all the time, that an ID and PIN is exactly the same as a longer ID, but is it actually true?

I get the logic of it, but in a practical sense doesn’t it have the potential to be different? For example, if you have to enter a correct ID, wait, and then get prompted for a password, couldn’t that potentially slow down an attacker?

Alternately, couldn’t a bunch of correct meeting ID’s followed by incorrect PINs present an opportunity to flag the ID as under attack, or give a prompt to a host that would spur inquiry, or something?

Perhaps I’m wrong about this but it seems like there are some non trivial differences between the two.

[catalogia]

There is no reason you couldn't implement rate limiting under the "longer ID" scheme.

[CPLX]

Sure, but your rate limit would be for all conferences.

The idea being by separating the conference number and PIN number you could limit the ability to attack a specific user ID more easily.

[Dylan16807]

So we have to look at what "attacking a specific ID" even means.

With separate room numbers and PINs, it means you know the room number but not the PIN. Simple enough.

But in the long-id scenario, that means you have part of the ID, but not all of the ID. That's pretty unlikely to happen. Instead, situations where someone would have leaked the room number will take one of two routes: either the person leaks the longer ID, and there is no attacking necessary, or the person realizes that the secret code needs to be secret, and nothing is leaked at all. Either way, attacks on a specific conference ID no longer happen.