[thelist] Protecting a paid membership website from password sharing

[Bob Meetin]

Thanks for the suggestions on storage, several good solutions which I shared with the client.  Now comes a second concern.

This particular service is to be a paid membership site, yearly or lifetime memberships.  The client is highly concerned that visitors will sign up, then 'cheat' and share their accounts with others, thus diluting the profits. Some thoughts:

  * Setting up common accounts with passwords is the easy solution but fails as people share accounts/passwords (high paranoia). Banks use u/p combos but who in their right mind is going to share this with their buds?
  * Adding to the Terms of Conditions that cheaters will be expunged does nothing to prevent the problem.
  * Implementing something with IP addresses or even subnets requires a tad more effort in the initial sign-up (mostly development) but breaks down if the member is mobile and/or their connection is not static.  I see extra administration and frowning faces here.
  * Limit by MAC address - From what I read this is primarily designed for intranet, not internet and is supposedly easily spoofed. Then of course it breaks down if the visitor attempts to access his account from an unknown device, leading to more administration and frowns.
  * Customer suggested, "Make the password scheme be the cc number"; I winced.


A couple years back when I left the country and attempted to access my Facebook developers' account Facebook gave me fits (and of course I failed my own security questions); I suspect this was based upon a country block or subnet rule.

Other ideas?

-- 
Bob