Remembering history passwords may be bad, but they are getting worse

Mon Jul 28 23:03:53 UTC 2003

Kevin Day wrote:

>
> I run one of the larger adult websites, that has a reputation for 
> being very difficult to acquire passwords for.
>

One of the more interesting "passive" ways to manage a site like this is 
to do something similar to what Streamload does (or did, I haven't tried 
it lately).

I don't know if this is useful for other web services, but for most 
non-shared accounts, there should be a limit of how many unique IP 
addresses in a set time period can access a given account.

The limit shouldn't be one, because with dynamic IPs, and people having 
work & home computers, but for example 5 unique IPs per 24 hours would 
catch a shared password within a  day or less.

Another limit to consider is one session per username at a time, so if a 
user is "logged in" and another authenication attempt is made from a 
different IP, it either terminates the first user's session or refuses 
login.  Back in the late 80s/early 90s we had a service in my area 
called "POPNET" that was a multi-user BBS.  They were a pay service, and 
if an account logged on twice they would lock the account for 24 hours.  
It stopped password sharing real quick :)

I personally would not object to a secureID or USB RSA dongle for online 
banking/etc, but I can see a problem with "too many standards" where you 
would have a secureID or key dongle for every different credit card and 
bank account.  What would be nice to see is a trusted third party 
(insured against loss like a Bank is) that would have a single secureid 
issued that would be key for any number of different financial 
services.   This is different than something like Microsoft's "Passport" 
initiative in that it's a> secureid based, and b> would be maintains by 
a trusted company, and c> would be cross platform.

-Scott