Remembering history passwords may be bad, but they are getting worse
Scott Call
scall at devolution.com
Mon Jul 28 23:03:53 UTC 2003
Kevin Day wrote:
>
> I run one of the larger adult websites, that has a reputation for
> being very difficult to acquire passwords for.
>
One of the more interesting "passive" ways to manage a site like this is
to do something similar to what Streamload does (or did, I haven't tried
it lately).
I don't know if this is useful for other web services, but for most
non-shared accounts, there should be a limit of how many unique IP
addresses in a set time period can access a given account.
The limit shouldn't be one, because with dynamic IPs, and people having
work & home computers, but for example 5 unique IPs per 24 hours would
catch a shared password within a day or less.
Another limit to consider is one session per username at a time, so if a
user is "logged in" and another authenication attempt is made from a
different IP, it either terminates the first user's session or refuses
login. Back in the late 80s/early 90s we had a service in my area
called "POPNET" that was a multi-user BBS. They were a pay service, and
if an account logged on twice they would lock the account for 24 hours.
It stopped password sharing real quick :)
I personally would not object to a secureID or USB RSA dongle for online
banking/etc, but I can see a problem with "too many standards" where you
would have a secureID or key dongle for every different credit card and
bank account. What would be nice to see is a trusted third party
(insured against loss like a Bank is) that would have a single secureid
issued that would be key for any number of different financial
services. This is different than something like Microsoft's "Passport"
initiative in that it's a> secureid based, and b> would be maintains by
a trusted company, and c> would be cross platform.
-Scott
More information about the NANOG
mailing list