[RESOLVED] Online 'Local' Publication Password Security
I have been asked by a friend that produces a local online publication (small island) if there is a mechanism to stop registered users (paid a subscription) from passing around passwords to other non-registered users?
IP Address's were mentioned etc, but not convinced of that method...
My quickie solution was to auto-generate passwords each month and email the registered user with the new password when the next publication was available. Therefore, stopping password hoarders, but it wouldn't stop users passing on the password.
I believe that most sites which try to control this do it by keeping track of the user's IP, and watching for patterns that indicate likely abuse: basically some frequency of IP address change, particularly changes indicating frequent changes in location (i.e. via a ip-to-location database). The trick here is determining how many changes over what amount of time should be flagged as password sharing versus annoying legitimate users who happen to travel a lot.
Thanks, it's sounds as though I need a Cray Super Computer and a slice of neural networking.
Perhaps a password, with a time-out period, could be auto-generated and emailed to the registered users email address. The password could be based upon the submitted IPAddress? Therefore when they try to sign-in the entered password could be verified against the users connection information, perhaps? lol
Is the publication downloaded to the user? If so, the user could click a link, a token could be generated and saved in the db (uniqid()?), and put into a link emailed to the logged in user's address. Then clicking that link would take them to the download page if it correctly matches the ID saved for them in the DB, after which that ID would be marked as used so that it could not be used again by anyone.
The PDF version will be available for download a week later than the on-line content. That's a great idea so that they can't forward the email containing the unique link Token.
Thanks for your replies again,
Just to complete the thread....
User clicks the publication edition link.
email created and sent to user with a link with URL parameters of chksum and end datetime
Checksum based on IPAddress, username and end datetime period (15 minute window)
User clicks the link within the email, normal login procedural check, then validates the checksum and within link time out period.
Thanks for your input.
I know of a publication that gets away with a very annoying method...
IBS Publishing - they publish very specific and useful material for the banking industry. It's also very expensive...
Anyway, they have a special reader they install via a token which goes into ONE computer and one computer only. The documents cannot be copied nor printed, but must be read online. Nobody else can access them, you cannot take a screenshot.
This seems to work - I don't recall what system they use.
It is very annoying to users, but for very expensive and esoteric materials not available anywhere else, this might work.
As above, you need to also be aware of how much of this your visitors/users will tolerate.
You should also perhaps consider monitoring sites (with a script) like BugMeNot, where people will post passwords and share login details to sites. Shut down any publicized logins/passwords immediately.
I have a friend with a dating site that found his logins and passwords posted there!
Sorry for butting in , but out of curiosity, how can they disable the Print Screen (PrtScrn) key on anyone's keyboard or even stop anyone from taking a high resolution digital photo of what's on the screen
Nobody else can access them, you cannot take a screenshot.
ps.....maybe I've been watching too many James Bond movies.
Last edited by tirna; 03-27-2010 at 07:58 PM.
I'd go back to Nogdog's suggestion and record the IP address.
We use the following in our CMS, not to stop password sharing, but to offer members an additional layer of security.
$xip is recorded in the user's record, along with their name, password, and an answer to one of ten of those stupid questions (eg; what was your first dog's name?).
//get the ip address
if(!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
$xip = $_SERVER['HTTP_CLIENT_IP']."ip";
else if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
$xip = $_SERVER['HTTP_X_FORWARDED_FOR']."proxy";
$xip = $_SERVER['REMOTE_ADDR']."remote";
$r = rand();
$xip = "UNKNOWN.".$r;
If the user logs on from a different IP address to the one recorded, the additional layer of security kicks in and asks them to answer that question. For you, I'd then get the incoming user to answer a different question, which means that even if the next user of the "borrowed" password was to try to log on, they wouldn't have the second answer.
Also, when the "owner" of the password tries to next log on, because he's now logging on from an ip address that's different to the one used by the "borrower", he's going to be asked a question to which he doesn't know the answer.
The reality is that even dynamic ip addresses change rarely, so if you tracked the number of times a different ip address was used, you'd be able to pick up users who were sharing passwords.
Oh Lord, please help me be the person my dog thinks I am.
I had to write a similar system where we had to register a copy of the software to a specific machine, hours of fun lol Interesting about BugMeNot, thanks.
If you write in a low-level language that supports low level systems interrupts (hooks), anything is possible. Nit quite JB, boring though
I like the solution. I will definitely use in the future. The only issue I have is it requires extra input information from users, but for other websites this is an ideal solution.
Thanks to all.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread