Password Sharing

Events happening in the community are now at Drupal community events on www.drupal.org.
dano's picture
Posted by dano on August 8, 2009 at 2:59am

Hello,
I am new to both Drupal and this group so please bear with me… ;-)

We currently operate an ‘on-line only’ local news site. We would like to add some premium member (subscriber) only content to our site to increase revenue. We serve a small area where everyone knows everyone, and are concerned that people will share their login credentials with all their friends. This will seriously undermine our revenue potential and must be dealt with somehow.
We would like to do something like set a cookie from an email link and then auto login our users. I am not having much luck finding any way to do this though.
Has anyone here ran into anything like this in the past?

Thanks!
Dano

Categories:

Comments

Maybe there's an easier way

Posted by ken hawkins on August 8, 2009 at 12:12pm
ken hawkins's picture

I don't think there's a module that does exactly that, but it wouldn't be too hard to custom code the unique page to set a cookie (using jquery's cookie plugin).

But I wonder if the overall experience would be frustrating to users, by making them dig up the e-mail whenever they log on from a different computer.

So, maybe there's a better way?

One thing you could do is use the Password Expire module to make the system set a new password every week for each user (you'd have to adapt the module a wee bit).

Sure, folks could then share the password on a weekly basis, but it'd probably be easier for them to just go on and subscribe themselves.

===
Another idea:
Now, what would be interesting is if you could adapt the Password Expire module to reset the password after X logins. Because folks that use only one or two machines aren't logging in and out that much, and those that share the password will be logging in and out a lot more.

Combine that concept with auto expiration of user session each day, and you can pretty easily find password sharers in those that login more than twice a day.

I kinda rambled, but hopefully it's given you some ideas.

You may be worrying ...

Posted by yelvington on August 8, 2009 at 12:41pm
yelvington's picture

You may be worrying about a non-problem. Password sharing gives everyone access to the user's account information and the ability to hijack/change account information, including the password. Generally I've found people to be very protective of their personal information. You can take advantage of this by tying the account to personal services, such as commenting and blogging.

One-time login links would

Posted by christefano on August 8, 2009 at 1:11pm
christefano's picture

One-time login links would work here. Each link is tied to a specific account, is valid for only 24 hours and can only be used once. The Login one time module can programmatically create them and the One-time login links module can generate them manually, but you'd also need something like User Protect to prevent people from manually changing their accounts passwords.

In general, I agree that this is an edge case that may not be worth worrying about. It's difficult to say without knowing more about the spec of the site, though, and it's an interesting problem to solve. The combination of modules listed above would essentially turn a Drupal site into a no-password system and still be generally usable.

I would suggest to limit

Posted by playfulwolf on August 9, 2009 at 8:48pm
playfulwolf's picture

I would suggest to limit sessions for a user to just 1. Tehre are maybe 2-3 modules which can do that. If someone shares password for too many people they still cannot log in at the same time.

---
naslenas.com. Drupal blog experiment.

drupal+me: jeweler portfolio

"Risky" Class of users?

Posted by morisy on August 10, 2009 at 2:16pm
morisy's picture

Never tried something exactly like this, but it sounds like if you implemented this for all users you'd be asking for support hell.

Christefano seems to have some great suggestions, but just curious if you've considering giving most users normal access until their account logs suspicious activity (multiple sign ons at the same time, logging in from some number of different IPs within 24 hours, etc). Then, you could put up a warning that says, "It appears your account may have been compromised, we've changed your login settings," and implement the single-sign on method. It'd probably be enough of a deterrent that users would voluntarily give up "sharing" their subscriptions.

Otherwise, I think so many users would be turned off by the usability problems you're just shooting the business case in the foot.

Interesting problems.

Michael Morisy
Web/Development Committee, SpareChangeNews.net (internally being redesigned)
Twitter: @morisy

Web guy, SpareChangeNews.net
Twitter: @morisy / @sparechangenews

Awesome Community Here... Thanks!

Posted by dano on August 10, 2009 at 3:14pm
dano's picture

It looks like all the buzz I read about Drupal and the great developer community surrounding it was well founded. Thanks to everyone for all your great suggestions here!

I am currently playing with the ‘Login one time’ and ‘User Protect’ combo suggested by christefano. So far it is working out well.

Since I haven’t been a Drupal user for long I don’t have a good feel for how often a user will lose their cookie based login and need to have another login link sent to them. If this doesn’t happen very often it seems like this will be a very easy system for our subscribers. If on the other hand they have to do this several times per week or day then it will be too cumbersome for them. In the later case it might make something like what morisy suggests a better solution. (only do the onetime login link for cases of ‘suspected’ password sharing)

Now my next question is how do we get a user to pay us through paypal before we send them their first ‘one time login link’.

I am looking at lm_paypal subscriptions at the moment.

I also found a guy actually selling a paypal subscription module (http://www.moneyscripts.net/drupal-paypal-subscriptions) that seems to do what we want. I am hesitant to go with something supported outside the drupal community though.

Any thoughts on PayPal integration with the onetime login links idea?

Thanks again for all the great ideas here!
Dano

alternate limitation

Posted by greggles on August 18, 2009 at 2:06am
greggles's picture

The http://drupal.org/project/single_login module provides a way to limit users to a single login. It's not available for 6.x yet, but upgrading shouldn't be hard.

Regarding how to charge people, I suggest using the private module, ubercart, and sell roles via ubercart subscriptions. I haven't done the latter myself, but know that lots of folks have.

--
http://growingventuresolutions.com | http://drupaldashboard.com | http://drupal.org/books

knaddison blog | Morris Animal Foundation

Thanks, I wasn't aware that

Posted by christefano on August 26, 2009 at 2:14am
christefano's picture

Thanks, I wasn't aware that a Single Login module existed. Here's a D6-dev version: http://drupal.org/node/420724

Newspapers on Drupal

Group organizers

Group categories

Topics - Newspaper on Drupal

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: