Jump to content
  • Advertisement
Sign in to follow this  
Cygnus_X

[web] Preventing multiple accounts

This topic is 4607 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Does anyone have a good set of rules/logic that would help prevent a user from creating multiple accounts on a website? I already have an email verification system in place on my site, but I've found that there are a few people that own their own domain name that register with emails such as A@wpgs.com, B@wpgs.com, C@wpgs.com, etc... then verify their email from a catch all account. My next step is to impliment IP address tracking, but I'm afraid if I set a limit of 3 users per IP, then I'd rule out 99% of users on a college network and the like from every registering. My third though was to track accounts by both IP and password, and force a user that registers with an IP address that has already been logged to use a new password... but I figured this subject has been thought of before and I wanted to hear everyones feedback. Anyway, thanks in advance.

Share this post


Link to post
Share on other sites
Advertisement
To put it simply you can't. Any system you put in place can either be bypassed or would prevent "legal" users from registering.

theTroll

Share this post


Link to post
Share on other sites
why not let them, but make them wait a period of time between registrations, like enforce a 1 account per ip per day rule.

Share this post


Link to post
Share on other sites
If your site requires cookies in order to work, you could set a persistent cookie containing a random value when they register - if another registration is made without clearing this cookie, you can detect it.

You could also do the same thing at login time. So if there are multiple accounts within the same web browser, you will detect them unless the user is constantly deleteing their cookies or blocks this *specific* cookie.

If your site requires cookies in order to work anyway, it's going to be moderately difficult to get around this block.

Then you have a policy which is to ban *both* accounts when you detect someone with multiple accounts - this should act as something of a deterrent too.

You'll still be alright with multiple users on the same IP, or even the same machine, provided they never share browser profiles.

Mark

Share this post


Link to post
Share on other sites
Usually when you're registering to some website made in my country (South Korea), you can't register twice. They force you to enter your Social Security # during registration, and there seems to be some mechanism to match your name with the SS#. Also, some companies require you to submit a cell phone # that matches the SS# in your cell phone carrier's database.

So let's say somebody knows ur SS# and name. ( Also South Korea's SS# is based on your d.o.b, the first 6 letters is one's d.o.b ) And let's say somebody falsely registered. You're screwed. You need to make photocopies of your family tree, you're birth certificate and driver's lisence to reset you're password.

Now, I think this type of system exists to protect the youth from sexual harrassment, restrict offensive content inside forums, and others.

Well, this was just some negative/positive facts about being able to register only once. Hope it was some help.

Share this post


Link to post
Share on other sites
I can't see how you can do this effectively by asking people for a social security (or some other national registration number).

If there is a way to validate this number, then an attacker can use it to simply generate false ones. Even if you can validate it with 100% certainty, there's no reason someone can't simply put in someone else's number (if there are enough of these numbers, the pattern can be guessed anyway).

Mark

Share this post


Link to post
Share on other sites
My system is set to delete cookies right after I get them, so cookies would not help at all in my case. If a person wants to bypass your "method" for preventing the multiple accounts they will. Until we have IDs on each computer build into the CPU there is no way to prevent it, and even with that they can always just use another computer (I have three set up right now). I have always believed in the keep the honest folks honest, so just ask for an email address and leave it at that.

As for asking for "personal" information. Social Secruity numbers, phone number or anything else like that. First of all most people would not give out that information, I know I wouldn't, second of all if people are crazy enough to do it and you get hacked, you will be "responsible" for the loss of information. Make sure you have a good lawyer.

theTroll

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!