North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Remembering history passwords may be bad, but they are gettingworse

  • From: Scott Call
  • Date: Mon Jul 28 19:06:03 2003

Kevin Day wrote:

I run one of the larger adult websites, that has a reputation for being very difficult to acquire passwords for.

One of the more interesting "passive" ways to manage a site like this is to do something similar to what Streamload does (or did, I haven't tried it lately).

I don't know if this is useful for other web services, but for most non-shared accounts, there should be a limit of how many unique IP addresses in a set time period can access a given account.

The limit shouldn't be one, because with dynamic IPs, and people having work & home computers, but for example 5 unique IPs per 24 hours would catch a shared password within a day or less.

Another limit to consider is one session per username at a time, so if a user is "logged in" and another authenication attempt is made from a different IP, it either terminates the first user's session or refuses login. Back in the late 80s/early 90s we had a service in my area called "POPNET" that was a multi-user BBS. They were a pay service, and if an account logged on twice they would lock the account for 24 hours. It stopped password sharing real quick :)

I personally would not object to a secureID or USB RSA dongle for online banking/etc, but I can see a problem with "too many standards" where you would have a secureID or key dongle for every different credit card and bank account. What would be nice to see is a trusted third party (insured against loss like a Bank is) that would have a single secureid issued that would be key for any number of different financial services. This is different than something like Microsoft's "Passport" initiative in that it's a> secureid based, and b> would be maintains by a trusted company, and c> would be cross platform.