tags:

views:

1311

answers:

8
+6  Q: 

Prevent users from starting multiple accounts?

I know that in the end it, can't be done.

But, what are the options to:

  a) limit the options for persons to create multiple accounts,
  b) increase the chance of detecting multiple accounts / person

for a blog-like web service?
(people can sign up for their own blog)

Update:
I think the 'limit the options' has been answered nicely. (there is no reliable method, but we can raise the bar)
However, I would still like to know what other options there are to detect multiple accounts?

A: 

One common option is to verify the persons identity through their e-mail. Actually make them respond to an e-mail sent to their account. Some sites take this a step further and don't allow addresses from domains such as yahoo, g-mail, hotmail, etc ...

DaveK  2008-10-04 11:17:13
This still doesn't completely prevent someone from creating multiple accounts, but since most people only create one active mail account it's probably the closest that you can come.
Noah Goodrich  2008-10-04 11:24:13
For such sites I use http://spam.la or http://fakemailgenerator.com/ wich frequently changes the domain for the email address. I think ther is no way to prevent this without annoy the /good/ users.
jk  2008-10-04 12:08:42
And you've just excluded anybody who uses certain email clients.
David Thornley  2009-10-30 21:15:51
The way spam is these days, webmail isn't the invalid choice, it's the best choice, for avoiding spam.
Tchalvak  2009-10-31 01:46:16
+3  A: 

You can't and you shouldn't. You are not dealing with the real world guys, but with accounts, so treat them as abstract entities which have the equal rights to live.

Some options I can imagine on the fly:

-- Only one account for email address. But I can create more then one email... or use Mailinator.

-- Long and tedious verification procedure. But that will discourage the users from registration

-- bind the IP to the account and block(temporarily?) that IP from creation of another account. But two different users with the same gateway will be blocked...

-- Use the cookies. But the user can delete them.

andy.gurin  2008-10-04 11:23:01
I love being able to generate random permutations of my email address at will. [email protected] -> [email protected] notation, or [email protected] -> [email protected] family of tricks, where "variable" can be anything.
Kent Fredric  2008-12-25 08:08:54
+1  A: 

Email address is a unique identifier for most people and is commonly used. You could also write some logic to prevent the [email protected] address from being used if [email protected] or another [email protected] is used. In the end, however, dishonest users will find ways to get duplicate sign-ups.

If you had it to your Terms of Service, you could make it enforceable and delete user's accounts if they have more than one. Although as seen by Digg, this is not a popular option.

jeffl8n  2008-10-04 11:24:41
I always create a special alias mailadress pr. account I create on "so called" free services. Then if I start to receive spam, then I just remove my alias address.having access to loads of domains would let me build hundreds of free accounts by this suggestion. Dont trust emailaddresses as being unique to people. I know I am not alone about this approach.
BerggreenDK  2009-11-26 01:20:49
+9  A: 

I think the best method would be to remove the incentives for creating multiple accounts.

Do you limit the users in any way? Can those limits be overcome (easily) by creating multiple accounts? If so, then maybe you should think about removing those limits.

aib  2008-10-04 11:27:51
+3  A: 

You could send users a SMS message to verify before creating the account. Since people can't get cell phone numbers as easily as they can get email addresses, this might work. Some people might be able to get two or three accounts, but not an unlimited number. There are a number of services that let you send SMS messages programmaticly, including Gizmo SMS, Text4Free and TxtDrop.

Of course, this requires users to have cell phones, and be willing to provide you with the number.

pkaeding  2008-10-04 11:33:44
+1  A: 

Ask users to register with a credit card. You don't have to charge anything to the card, you can just check that the card is valid.

Adam Pierce  2008-10-04 11:42:06
Motivated users may be willing to use more than one credit card. This approach still seems inadequate.
antik  2008-10-05 02:37:38
Or generate a fake credit card number.
Malfist  2009-05-18 15:30:15
+9  A: 

I'm assuming you're talking about a free service? I can't think of any ways that don't either have serious drawbacks or would be trivial to defeat. Things like setting a cookie, requiring a unique e-mail address are easy to defeat.

Requiring a unique IP address is not foolproof but might work to some degree, up to the point that you have lots of users and get complaints from people behind proxies.

The best ways are to charge money or require people provide some kind of personal information, like real name/phone/address that you verify, or a CC number, but that's invasive (then again maybe you only want serious users who are willing to provide this sort of info).

I guess I would turn the question around and ask "Why don't you want to let people have multiple accounts?"

There may be some other ways of mitigating whatever your underlying reason is, i.e. if you're worried about lots of orphaned blogs you could scan for a period of inactivity and disable them or at least schedule them to be looked at by a human. If you're worried about spam blogs you could periodically scan all blog content for spammy stuff. If you're worried about bots and are using some generic software like WordPress, change the names of the form variables and otherwise protect your forms from bots.

Definitely think of other ways of dealing with the problem, because you are not going to be able to block people from registering multiple accounts if it's a typical free service like Blogger.

As for detecting multiple accounts by one person, the first thing you need to do is have a log file store complete data on every user login (username, timestamp, IP, user-agent etc.), that you can then analyze later. I'll list a few things to look out for, but just by poring over the log file you will likely discover other patterns. Some ideas of things to look for are:

  • Set a tracking cookie (i.e. random hash) and log its value on login, look for multiple logins from the same cookie value
  • Logins from same IP address/user-agent combination
  • Logins from same IP address only (less reliable than the previous two bullets)
  • Accounts with email addresses from free webmail services (Gmail etc.)
  • Accounts with same password

If you're worried about spam blogs, you could try doing some analysis of blog content, i.e. extract all the <a href>s and look for correlations between blogs. You could run the blog content itself though something like SpamAssassin or otherwise filter for spammy words like "viagra" and "rolex."

joelhardi  2008-10-04 12:03:04
that list was really helpful, cookies are a nice trick I'm going to implement right now, thanks :)
Gilles  2008-10-06 19:47:59
Cool, I think that's the way to go. It's a lot easier to pinpoint someone with several accounts and remove them saying "sorry, you broke our TOS and have multiple accounts" (without telling how you know of course) than to detect it at registration time.
joelhardi  2008-10-14 03:58:09
... If they do get blocked trying to register a second account, then they'll just hunt until they find a way around the block. And, it stings them more to have an active account that they maybe invested a lot of time in deleted. They'll think twice about trying it again.
joelhardi  2008-10-14 04:03:14
Ehmm... I run at least 5 different browsers on my machines. Thats going to give me 5 different user-agents + 5 different cookies - same IP yes, but I am behind a router/NAT as many people are.
BerggreenDK  2009-11-26 01:15:46
A: 

The most difficult to break methods I've seen implemented in real life are to use a separate hardware medium for confirmation (sending a confirmation code via SMS for a public service, or mailing an RSA token for something more sensitive, like intranet access), or to ask for a financially-bound piece of identification, for example a bank account number (Paypal deposits a few cents to your account and the sum of the amounts is your passcode) or a valid credit card number.

Leo  2008-10-05 02:00:13

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?