locked
Prevent users from sharing passwords RRS feed

  • Question

  • User-226330509 posted

    Hi,

    Most of the users of my site know each other.

    People being people, they share username / passwords between themselves, to avoid paying individually for membership to the site.

    What's the best way to prevent password sharing in this situation? (some person is going to say "decrease membership fees" haha)

    OK. It's easy to prevent simultaneous logins. That's done, thanks to Peter Bromberg at http://www.eggheadcafe.com/articles/20030418.asp

    How about reducing the number of logins a user may have in a single day? I can do that, but I really care about convenience for my users as well, and kicking them out on a busy day would really ruin their mood!

    What I would REALLY like to do is uniquely identify the computer that the user is using. Then, I can licence that user to access the website from only one or two of their own computers.

    IP address cannot be used for this job, since most of my users are not on fixed IP's.

    I have thought of using their Mac Address for the job. Getting their MAC address can be done in either of two ways:

    1. Write some client-side code in ~/Default.aspx which gets the client computer's MAC address and posts it to the server. I've done that successfully already, but it requires a really nasty reduction in the client's security settings. They're not going to be happy about that, or tech-savvy enough to accomplish it in some cases.

    2. Write a custom browser that they can download and install on their computers. Because it is running on the client's machine, the custom browser could easily post their MAC address in the query string when it first starts up. That'd be cool, 'cos they would have a special browser for my website! However, it's also inconvenient, because I only know c#, and that won't work cross-platform.

     Finally, this discussion brings me to three questions:

    a) can I achieve goal number (2) cross-platform using microsoft's java? (least desirable option)

    b) can I write an applet or ActiveX component to do the job? If so, how? Do I have to make sure its an applet to work on all my client's computers, regardless of platform?

    b) Is there any other cross-platform way of uniquely identifying a user's computer without causing them a major headache?

    Thanks so much for your assistance in this,

    Ben

     

    Tuesday, July 10, 2007 4:45 PM

Answers

  • User76536425 posted

    The best resource I know of is Dominick Baier's book, Developing More-Secure ASP.NET 2.0 Applications. The authentication chapter is worth the price of admission, although it is not an easy read. Lots of good options in there.

    Good luck!

    Don 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, July 12, 2007 9:58 PM

All replies

  • User-226330509 posted

    One humorous solution I found on the net is to make the clients use their credit card number as their password! If they want to share their password, they also have to share their credit card number. That could have its repercussions [:)]

    Look forward to hearing your suggestions,

    Ben

    Tuesday, July 10, 2007 5:43 PM
  • User-226330509 posted

    OK. Below I have pasted a fairly good Javascript solution that I have found for getting Mac Address. It came from http://www.devarticles.com/c/a/JavaScript/Advanced-JavaScript-with-Internet-Explorer-Retrieving-Networking-Configuration-Information/1/

    If the user has not reduced their security, line 15 will catch an exception and take them to a page containing a camtasia video from me telling them how to proceed.

    I can tolerate putting my users through this one-time annoyance.

    IE versions < 5.5 don't create ActiveX objects, so I will have to isolate some dinosaur systems. That's ok.

    If we decide to go ahead with this system, will it work on Apple machines? If not, what can I do about that? That's one class of users that cannot be ignored.

    1    <!DOCTYPE  HTML  PUBLIC  "-//W3C//DTD HTML 4.0 Transitional//EN">
    2    <html>
    3    <head>
    4        <title></title>
    5        <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
    6        <meta name="vs_targetSchema" content="http://schemas.
    7    microsoft.com/intellisense/ie5">
    8    
    9        <script id="clientEventHandlersJS" language="javascript">
    10   <!--
    11   
    12   function Button1_onclick() {
    13         var locator;
    14         try { locator = new ActiveXObject ("WbemScripting.SWbemLocator"); }
    15         catch (error) { window.location = 'InstructionsToReduceSecurity.htm'; }
    16         var service = locator.ConnectServer(".");
    17         var properties = service.ExecQuery("SELECT * FROM Win32_NetworkAdapter");
    18         var e = new Enumerator (properties);
    19         document.write("<table border=1>");
    20         dispHeading();
    21         for (;!e.atEnd();e.moveNext ())
    22         {
    23               var p = e.item ();
    24               document.write("<tr>");
    25               document.write("<td>" + p.AdapterType + "</td>");
    26               document.write("<td>" + p.AdapterTypeId + "</td>");
    27               document.write("<td>" + p.DeviceID + "</td>");
    28               document.write("<td>" + p.Index + "</td>");
    29               document.write("<td>" + p.MACAddress + "</td>");
    30               document.write("<td>" + p.Manufacturer + "</td>");
    31               document.write("<td>" + p.MaxSpeed + "</td>");
    32               document.write("<td>" + p.NetConnectionID + "</td>");
    33               document.write("<td>" + p.NetConnectionStatus + "</td>");
    34               document.write("<td>" + p.PNPDeviceID + "</td>");
    35               document.write("<td>" + p.SystemName + "</td>");
    36               document.write("</tr>");      
    37         }
    38         document.write("</table>");
    39   }
    40   
    41   function dispHeading()
    42   {
    43         document.write("<thead>");
    44         document.write("<td>AdapterType</td>");
    45           document.write("<td>AdapterTypeId</td>");
    46           document.write("<td>DeviceID</td>");
    47         document.write("<td>Index</td>");
    48         document.write("<td>MACAddress</td>");
    49         document.write("<td>Manufacturer</td>");
    50         document.write("<td>MaxSpeed</td>");
    51         document.write("<td>NetConnectionID</td>");
    52         document.write("<td>NetConnectionStatus</td>");
    53         document.write("<td>PNPDeviceID</td>");
    54         document.write("<td>SystemName</td>");
    55         document.write("</thead>");
    56   }
    57   
    58   //-->
    59       </script>
    60   
    61   </head>
    62   <body>
    63       <input id="Button1" type="button" value="Button" name="Button1" language="javascript"
    64           onclick="return Button1_onclick()">
    65   </body>
    66   </html>
    67   
    
     

     

    Tuesday, July 10, 2007 7:00 PM
  • User76536425 posted

    So, what you are saying is that your users should dramatically lower their security protections in order to protect you? Is your site that incredibly valuable for them?

    This solution is just evil. If your site is ever hacked, your users are toast.

    Other solutions you've mentioned are less effective, as you've noted, but at least they don't cause users to screw themselves!

    Have you considered requiring client certificates? That would be one thing to do, but possibly complicated for users. It's nice though, because it allows mutual authentication.

    Don

    P.S. I LOVE the credit card as password idea! That is even more evil, but you're right that it's a funny idea! 

    Tuesday, July 10, 2007 10:29 PM
  • User-226330509 posted

    Hey Don,

    You're absolutely correct, of course. The client certificate is a good idea. I've never heard of it before, so I'm googling it now to find out if it's something I can do. To be honest, I would really hate to implement the ideas I have had so far.

    I wonder if the client certificate can be done using shared hosting? My web hosts, http://hostingheaven.net (and now I'm plugging them) besides being the cheapest windows hosting I have ever found, will bend over backwards to install custom software into my servers, just 'cos I ask for it (and I'm a small fry customer) They don't have support on the weekends though.

    Thanks for the good idea. Do you know any good resources that I might go to find good information on the topic of client certificates?

    cheers / Ben

    Wednesday, July 11, 2007 8:09 AM
  • User76536425 posted

    The best resource I know of is Dominick Baier's book, Developing More-Secure ASP.NET 2.0 Applications. The authentication chapter is worth the price of admission, although it is not an easy read. Lots of good options in there.

    Good luck!

    Don 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, July 12, 2007 9:58 PM