[thelist] Protecting a paid membership website from password sharing

Phil Turmel philip at turmel.org
Mon Aug 19 15:33:37 CDT 2013

On 08/19/2013 01:51 PM, Bob Meetin wrote:
> Thanks for the suggestions on storage, several good solutions which I
> shared with the client.  Now comes a second concern.
> This particular service is to be a paid membership site, yearly or
> lifetime memberships.  The client is highly concerned that visitors will
> sign up, then 'cheat' and share their accounts with others, thus
> diluting the profits. Some thoughts:
>  * Setting up common accounts with passwords is the easy solution but
> fails as people share accounts/passwords (high paranoia). Banks use u/p
> combos but who in their right mind is going to share this with their buds?
>  * Adding to the Terms of Conditions that cheaters will be expunged does
> nothing to prevent the problem.
>  * Implementing something with IP addresses or even subnets requires a
> tad more effort in the initial sign-up (mostly development) but breaks
> down if the member is mobile and/or their connection is not static.  I
> see extra administration and frowning faces here.
>  * Limit by MAC address - From what I read this is primarily designed
> for intranet, not internet and is supposedly easily spoofed. Then of
> course it breaks down if the visitor attempts to access his account from
> an unknown device, leading to more administration and frowns.
>  * Customer suggested, "Make the password scheme be the cc number"; I
> winced.

There's no magic bullet, but you can achieve much of what they are after
by blocking simultaneous access from multiple devices.  Simply have the
login process invalidate any *other* live sessions for that user.
(Session cookies alone will separate the devices.)


More information about the thelist mailing list