Yes, the latter is marginally harder, but you're still leaning on security through obscurity, here.
The number of times I have had "we need to securely transmit this data!" end with exactly or something equivalent to emailing an encrypted ZIP with the password in the body of the email (or sometimes, some other insecure channel…) …
Sure if you’re comparing worst case of one to best case of the other it’s functionally similar, but if the password is strong and handled properly then they are not functionally similar at all.
That's not a fundamental difference but a difference of convention. A lot of us have been in the convention long enough that it seems like a fundamental.
This is indexable by search engines.
> Here's the URL to the thing: https://example.com/a/url and the password is "hunter2".
This is indexable by search engines.
Yes, the latter is marginally harder, but you're still leaning on security through obscurity, here.
The number of times I have had "we need to securely transmit this data!" end with exactly or something equivalent to emailing an encrypted ZIP with the password in the body of the email (or sometimes, some other insecure channel…) …