[thelist] Protecting a paid membership website from password sharing
Phil Turmel
philip at turmel.org
Mon Aug 19 15:33:37 CDT 2013
On 08/19/2013 01:51 PM, Bob Meetin wrote:
> Thanks for the suggestions on storage, several good solutions which I
> shared with the client. Now comes a second concern.
>
> This particular service is to be a paid membership site, yearly or
> lifetime memberships. The client is highly concerned that visitors will
> sign up, then 'cheat' and share their accounts with others, thus
> diluting the profits. Some thoughts:
>
> * Setting up common accounts with passwords is the easy solution but
> fails as people share accounts/passwords (high paranoia). Banks use u/p
> combos but who in their right mind is going to share this with their buds?
> * Adding to the Terms of Conditions that cheaters will be expunged does
> nothing to prevent the problem.
> * Implementing something with IP addresses or even subnets requires a
> tad more effort in the initial sign-up (mostly development) but breaks
> down if the member is mobile and/or their connection is not static. I
> see extra administration and frowning faces here.
> * Limit by MAC address - From what I read this is primarily designed
> for intranet, not internet and is supposedly easily spoofed. Then of
> course it breaks down if the visitor attempts to access his account from
> an unknown device, leading to more administration and frowns.
> * Customer suggested, "Make the password scheme be the cc number"; I
> winced.
There's no magic bullet, but you can achieve much of what they are after
by blocking simultaneous access from multiple devices. Simply have the
login process invalidate any *other* live sessions for that user.
(Session cookies alone will separate the devices.)
Phil
More information about the thelist
mailing list