|
Limit Account Sharing
Can anyone think of a way to limit massive account sharing?
By massive, I mean 30 - 40 people using the same username/password within 10 minutes. I I don't even know if that could be made into a hack. Can anyone think of any other ways to limit account sharing? Edit: update, an attempt was made in 2006 for vbulletin 3.5! https://vborg.vbsupport.ru/showthread.php?t=109315 It doesn't work now, but at least we know it's possible. |
It is impossible that 2 individuals are using the same account at the same time.
|
Quote:
|
Yeah, people on my forums share accounts all the time. It is possible.
|
Quote:
|
Quote:
|
Quote:
Satan |
Quote:
It is impossible! |
By "the same time" I presume you mean simultaneously...
If so, I was logged in both at home (via direct connection) and at Uni (different IP) and was browsing my board under my username on both browsers... If you mean at the exact same instance in time, I doubt that anyone could do that precisely... Satan |
Quote:
Just something to stop excessive sharing, like other sites do. |
Any ideas? I'd move this to paid requests, but I don't even know what to ask for as I have no idea if it's even possible.
|
If you reset the password after a different ip accesses an account that was previously used by another IP you donĀ“t take dial up users into account.
My DSL connection is separated after 24h. When I am browsing the forum and get disconnected I reconnect immediatly with a new ip. In that case nearly every day I would need to change my password so I doubt that this would be a good idea. You could write a script that detects if a forum cookie for another account is already set and if that is the case then notify an admin about possible account sharing. StarBuG |
Quote:
I still say it's possible. There are many sites out there that can tell when accounts are being shared by checking IP's. How about this: check if there have been 5+ different IP's accessing the account within a certain amount of time - say 20 seconds. Unless DSL or dialups switch IP's every few seconds this should work fine. |
Quote:
They can only assume - with a good or bad ratio of false decisions. |
This is what you want to avoid > I can login right now as admin...then go down the road to my friends house, find my forum and again without any questions login as admin...so we got two admins on different pc's using the same account doing different things.... hmmmmm don't like that me thinks...so here's an idea >
once a user is logged in and then if another login attempt on the same (logged in account) takes place, a simple check should reveal that if already logged in (as shown on the WOL section) then refuse them at the gate with a "your already logged in mate!" screen.... easy! -b6 |
Hmm ... you log in, then you have a line failure and get disconnected after a few seconds.
You dial in again, get a new IP ... and must wait 15 minutes to contine. Would really p*ss me off. Also, what about AOL Users? AOL uses a Proxy Cluster, so every request from an AOL User might come in with a different IP => new Session all the time. *more problems to add here* |
Quote:
|
Yeah. But how would you identify if the "Account Owner" is trying to kill the old Session?
The only thing that comes up my mind are shared secrets (if the Users don't have certificates or you can do biometrical identification) - and then we've gained nothing :) |
Agreed, that would rely on a second password and it can be shared just like the other one. Users on proxies would also be bad (aol comes to mind).
I'm sure it's possible, but I honestly don't see why it is worth coding because anything you do can be gotton around. If you figure out how to do it all on the server side you are still burning clock cycles that can be better used else where. This type of problem is best done by humans imho, sure you can only catch them after the fact. But I'd rather do that then turn away possible members because my code thinks they are browsing from two seperate locations. :) |
Quote:
I don't care if 2 or 3 people are sharing, I just want to stop 10+ people using the same account. |
They usually use some calculation of the numer of different IP's (or subnet's) in a certain period of time. If that is higher then a set limit, it is asumed that it will be a share.
This work fine for pornsites for example where if an account is shared, immediae hundreds of people from all over the world try to use it. |
That's what I always tried to point out: You cannot detect if an account is being shared, you can only assume it, and this assumption might be good or bad, depending on your algortihms.
|
@Kirby,
If you are so depressed all the time, what is that smile doing on your face. |
Thank you both. If I can gather the money I'll probably put this in paid requests.
|
ok, me being an admin, (well, im guessing we all are, lol) i have so many accounts on my site, it woudl drive you insane!) i log on2 all kinds of accounts, i see no need for this /;
|
What I would do is something like this: (It would not be full proof, but it would be a good start)
1) Save all of the IP's that a user logs in from. (I believe the vB does this already now.) You could add a number of times each IP has logged into that account as well to see which ISP is the most used. 2) Check if there is multiple sessions with the same username. If there is more than 3, start the extra check in number 3. 3) Check if the IP's are close together, or far apart. (i.e. make sure the xxx.xxx.*.* parts match up or are very close. (Even resolve the hostname to see if its the same ISP but a different IP address because it was dialed in.) 4) Have a check in to set the account to banned if it detects x number of sessions logged in the time period of y. (Both x and y would be settings that the owner can set.) 5) If it detects say over 20 ISP's of the account and all are different ISP's, ban the account automatically. I think with the above stipulations, you could catch a number of accounts on www.bugmenot.com for example. You might get some legitmate users here and there, but some of the Untachy hacks I have seen would hit some legitmate users sometimes too I think. -CMX |
Quote:
That would be a very nice hack. To make it simpler, just check the domain. If more than x domains are logged into the same account over a period of y, do z. "z" doesn't have to be automatically banning the account, changing the pass, or anything drastic. It could simply make a note in a text file for an admin to read. |
Quote:
|
Over a 10 minute period of time you get http requests from 3 or 4 different IP addresses, I think that most people would say that is worth looking in to, so then FLAG the account.
Let me be specific that the requests contiune over the time period, not IP1 for 10 munites then IP2 then IP3 then IP4, but a mix of requests. A simple whois to check if the IP block belongs to the same ISP and then you KNOW its being shared (especially if you are talking saw east coast and westcoast IPs). (This can be done with a nightly cron job, or even on the fly depending on severity thesholds) Quite possible to detect, since you are using authenticated access. Remember its not that an account "changes" IPs its simultaneous requests. A user with 10 requests per minute over 2 IP addresses for 10 minutes sure the heck IS sharing accounts :) (unless the ISP has some real elaborate load sharing proxy, but in this case you can rely on whois lookups) 1. VBB detects more than X IP addresses per username in an X seconds, and flags the account. 2. Log parcer kicks in for flagged accounts and strips out username/IP data and does a whois and checks for IP ownership, and outputs an email address to the forums staff (keeps false positives down) 3. Automated step via theshold that says if X IPs in X hours (and whois data not matching) and starts actions placed in the plugin (admin can set anywhere from flag and email to shutdown the account (heck lauch a nuke if you have that kind of access :P) -Zxin Quote:
|
Quote:
|
Why not also add a check for a temp cookie? That would maintain itself on each computer regardless of the dynamic ip change, but would have to be unique per machine.
Give it a period where if it switches back from one temp cookie to another too quickly, you knock out one account, keep the older active. Keep doing it. |
bump, update!
|
Just use their web form to block your site and you are done as far as sharing accounts is concerned. Though there will likely be more services like these.
|
I need something like this as well and I will try to work on something to detect this soon. :mad:
|
Hello,
Just curious if anyone ever developed this or is working on it. I am a webmaster for a site which requires subscriptions in order to access the content. I'm looking to make sure that a username is not being shared between multiple people... I found this topic and was hopeful something like this already existed. If it doesn't exist I would even consider a paid request. |
Quote:
|
That's the exact oposite of what I'm looking for. I don't care of someone is logging onto the site with multiple usernames as that means they are paying multiple subscriptions. What I'm consider with is a user who pays a subsciption fee, then gives his buddies the account info so both of them can log into the site at the same time. I need to be able to protect against multiple people using one user account. Not one person using multiple user accounts.
|
Right, yeah... ok... then each user must be uniquely identified using ip addresses perhaps, if the same ip is used with the username & password it works... different ip...same username & password... no entry! - but there's a problem with that... many users have shared ip's and ranges... hmmm
|
|
So does anyone know if this exisits or is willing to create it?
|
| All times are GMT. The time now is 12:09 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|