This guide was updated on February 8, 2023
For subscription publishers, the prospect of subscribers sharing login credentials with non-paying users can be a concerning one.
Password sharing is often a strong indicator of a highly valuable product. (Arguably, the only thing worse than subscribers sharing passwords is subscribers not sharing passwords). But the potential for lost revenue and the notion that audiences are “pirating” content can be frustrating nonetheless.
Widespread password sharing can present a significant risk for publishers if left unchecked, resulting in diminished subscription revenues, loss of valuable user data, and skewed metrics. But when monitored and managed carefully, some publishers believe it benefits their businesses by exposing their content to new audiences and providing valuable sampling opportunities that ultimately help to grow their paying subscriber bases.
Attitudes and approaches differ from one publisher to the next and are often informed by the nature of their content, audiences, experience, budgets, capabilities and business priorities.
Some major publishers that already employ strategies to combat account misuse say they’re mostly satisfied those measures are keeping password sharing to acceptable levels,, while some smaller publishers say they lack the technology to identify possible account-sharing activity, let alone the resources or the ability to attempt to combat or capitalize on it.
Meanwhile, publishers targeting professional and business audiences often pay particularly close attention to password-sharing – partly because their products are typically priced significantly higher than most consumer-facing publications, but also because they see particular value in the opportunity to upsell accounts they suspect are being used by multiple people.
This guide outlines the considerations publishers should make when deciding how important password sharing may or may not be to their businesses, and details strategies and tactics that can be employed to help limit password-sharing activity and recover lost subscribers and revenue.
What is password sharing?
Password sharing refers to instances where paying subscribers share login credentials with one or more non-subscribers, enabling them to access publishers’ subscriber-only content, services and features without paying.
Why password sharing is a concern for publishers
Password sharing has a number of potential downsides for subscription publishers. These range from the straightforward, such as lost revenue, to secondary considerations around data collection and optimization:
The obvious downside of password sharing for publishers is the potential for lost revenue. If a subscriber shares their login credentials with multiple users, it’s safe to assume — since they’ve gone to the effort of procuring credentials from a third party — that one or more of those users may have otherwise paid for a subscription themselves.
The potential for lost revenue is more pronounced for those publishers who place highly valuable single pieces of content behind paywalls, such as in-depth reports or exclusive data. While such content is often a powerful driver for new conversions, it can also fuel password-sharing activity. If readers desire access to content on a one-off rather than recurring basis, their propensity to “borrow” credentials may be increased.
Loss of user data
For many publishers, the ability to understand the nature of their audiences is central to the viability of their business models. In addition to lost revenue, password sharing can result in missed opportunities to collect valuable first-party data, including demographic information, interests and preferences, or attributes such as company type, job titles, functions or responsibilities in a B2B setting. These missed data opportunities can impact other areas of publishers’ businesses, such as their ability to sell advertising and sponsorships and leads to partners or to effectively cross-sell other products and services they offer.
Widespread password sharing can also skew the behavioral information publishers use to optimize their sites and products, which can result in publishers optimizing to bad signals. If they’re not identified and monitored, password sharers can easily be misconstrued as “power users,” for example, whose behavior, tastes and preferences are often more closely studied and used to help inform editorial, product and business decisions.
Sizing the problem
Password sharing is a phenomenon that affects nearly all subscription publishers, but establishing to what degree — and how significant the impact is for their revenues and businesses — isn’t easy.
When evaluating the impact of password sharing on their businesses, publishers should attempt to ascertain:
- How many users are regularly sharing their accounts?
- What portion of non-paying account abusers would likely convert into paying customers?
- Is cracking down on password sharing cost-effective? (Since doing so can be time and resource intensive.)
Why significance varies by publisher
Password sharing might be difficult to measure and benchmark, but publishers should consider how significant it might be for their specific subscription products and businesses. There’s no one-size-fits-all approach or “right answer.”
While one publisher might embrace password sharing as an opportunity to grow its audience and expose its content to more prospective subscribers, another might reach the conclusion that it significantly hurts revenue. Factors such as the nature of content, audience size, business model, subscription price point, technology capabilities and even cash flow are key variables in this determination.
Publishers should also take care to make their own determinations about the importance of password sharing based on their specific businesses and needs, rather than relying on external parties to make it for them. Common reasons for turning a blind eye to password sharing often include:
- Users with shared passwords are unlikely to pay for a subscription anyway.
- It drives sampling and pushes audiences down the conversion “funnel”.
- It exposes new audiences to the value of a publishers’ content.
Those assertions may or may not be accurate for any given publisher, but publishers know their businesses best and should make their own assessments.
Identifying password sharers
Pinpointing accurately which accounts are being used by multiple users is, unfortunately, nearly impossible. Subscribers often use their accounts legitimately across a range of devices, from a number of different locations and IP addresses, and increasingly via VPNs, proxies, and other technologies in an attempt to mask their behaviors and protect their data.
As a result, identifying a shared account from one that’s being used by one person is not an exact science. But by monitoring IP addresses, device types and other abnormal behavior — such as logging in from vastly different locations at the same time — publishers can at least track suspicious activity and begin to identify and quantify accounts they suspect might be sharing passwords.
Some paywall technology providers now offer the ability to measure and report on “suspicious” account activity, often to varying degrees of severity. For example, they may differentiate accounts that exhibit “possibly suspicious” behavior from those that are “very suspicious.” These tools may also be used to export data on suspicious accounts, such as email addresses, to be used to inform mitigation initiatives.
Technologically advanced publishers might alternatively opt to monitor their own traffic to identify potential password-sharing activity, while plugins for content management systems such as WordPress might also be used to monitor login behavior and website usage patterns.
Limiting password sharing
Publishers that decide to proactively address suspicious account activity should evaluate the following tactics, approaches and considerations:
Setting clear expectations
Before attempting to crack down on password sharers, publishers should first ensure that subscribers’ expectations have been clearly set and that their permissions have been clearly communicated to them.
Any relevant terms, conditions or agreements should include specific language about what subscribers are and are not expected to do with their account credentials. Agreements should reserve publishers’ rights to remove access, reset passwords and/or otherwise curtail use if those conditions are abused. This might include specifying:
- That passwords and login credentials must not be shared with others.
- The number of people permitted to access a single account as part of their subscription agreement. (For example: 1 person per account.)
- How many devices may be used simultaneously
- Whether or not generic or role-based usernames or emails are permitted. (For example: [email protected])
Don’t hide behind T&Cs
While tucking away password-sharing language deep in terms and conditions legalese might technically prohibit account sharing, publishers might also benefit from being clearer about what subscribers can and can’t do with their accounts before they purchase them. During the checkout process, subscribers could be required to explicitly agree not to share their account credentials, for example.
Be upfront about the cost
Some publishers might also find clear messaging explaining that they’re funded by reader contributions or subscriptions — and specifically explaining that password sharing threatens their ability to create content — can act as an effective password-sharing deterrent.
Even for those publishers without the intent or technical ability to monitor and enforce password sharing, clearly setting expectations and reserving rights can act as a deterrent nonetheless, and leaves open the possibility for them to do so down the line.
Limiting concurrent sessions
Limiting the number of simultaneous logins that a single account is allowed is a blunt but effective way to mitigate password sharing and account abuse.
When a user logs in to a paid subscription service, the session is recorded as an active session. When the maximum number of concurrent sessions is reached, any additional login attempts from the same account can be rejected ensuring a single account cannot be used by multiple people at the same time. Similar limitations can be placed on IP addresses, or even specific devices via the use of device fingerprinting and other device tracking techniques.
The downside of limiting sessions and logins is that some users may bounce between different devices and find themselves frequently logged out of their accounts as they do so. Some publishers, therefore, communicate to subscribers that their accounts may be used on a limited specific number of devices in order to set expectations and preserve the experience for paying subscribers.
One of the most effective ways to limit account abuse is to require multi-factor authentication (MFA) at login. MFA is designed to make it more difficult – or at least more inconvenient – for unauthorized individuals to access subscribers’ accounts.
MFA requires users to provide more than one form of authentication to gain access to their accounts. For publishers, this typically means asking subscribers for something they know (such as a password or personal question), and also proving access to something they have (such as an email account or a device such as a phone.)
For example, in order to complete the login process subscribers may also be required to enter a code that has been sent to their email inbox or to their phone via text message. Codes may only be valid for a short period of time, and/or unique to a user’s session, meaning even if an unauthorized user knows a subscriber’s password, they cannot access the account without also having access to one-time codes.
MFA can be taken a step further when combined with a limit on concurrent sessions. If an account is only accessible by one device at a time, account holders and unauthorized users would need to log in at the beginning of every session, resulting in an inconvenient experience that many users are unlikely to persist through.
It’s near impossible to be 100% certain whether or not a subscriber has shared their password or account credentials with a third party, or that more than one person is accessing the same account.
As a result, any suspicious account activity is, by default, a security issue – and one that publishers have a responsibility to take seriously. One approach to protecting the security and integrity of users’ accounts is to manually reset the passwords of any accounts that display suspicious activity over a given period of time. (The ability to reset passwords is baked into solutions offered by all major paywall technology providers.)
As a byproduct, regular account security measures like these can also help reduce the effectiveness and appeal of password sharing, since anyone disclosing their account credentials will need to recirculate updated passwords or other login information. Even if a user shares new login credentials after being forced to update, they’ll pop up on any suspicious activity list once more, and the cycle continues.
If resetting passwords does not prove effective in mitigating suspected account-sharing activity, manual outreach — typically via email — is the logical next step. Effective approaches include:
- Making subscribers aware that suspicious activity has been detected on their account (in the form of multiple logins), and that — for their own security — their password has been reset.
- Expressing concern that a third party may have obtained and shared their login credentials with unknown entities.
- Stating that multiple logins have been detected, and explicitly asking if the subscriber may have accidentally shared their credentials with a third party.
Outside of email, publishers might opt to flag suspicious activity to subscribers via on-site messaging such as popups or other notices or to leverage other communication channels such as direct messaging or phone call, if available and feasible.
Striking the right tone
In instances where users are being contacted because suspicious logins and activity have been detected, it’s important to remember:
- It’s near impossible to say with certainty that a user intentionally shared their password or login
- Friendly emails are often more likely to elicit a favorable response than passive-aggressive or accusatory ones.
- Emails from real people and named email addresses are more likely to prove effective than those from generic addresses, or those in templated formats that are easier to ignore.
Role-based emails and other T&C violations
In instances where there’s a clear and demonstrable violation of terms by a subscriber, outreach can be far more specific and direct. For example, if an account is tied to a role-based email address that violates terms (such as [email protected]), the account owner can be gently informed and invited to update their account information accordingly. Tone remains important — and there’s likely little to be gained from coming across as accusatory — but pointing to a demonstrable violation of terms gives publishers a stronger leg to stand on than multiple logins does.
When password resets and attempts at manual outreach have proved ineffective, publishers might consider the more extreme measure of disabling account renewal.
In instances of repeated logins from multiple devices, this action can be chalked up to ongoing security concerns. In those where a policy is being violated, publishers might wish to make clear that’s why renewal is being disabled. It’s typically best to avoid canceling subscription terms before they expire or come up for autorenewal, however, to avoid the necessity to issue partial or full refunds.
For many publishers, there is little to prevent a password sharer from simply purchasing a new subscription using a different email address or credentials, but the action may at least signal that ongoing account abuse will continue to result in security checks, outreach, and account renewal roadblocks.
Password sharing as a growth opportunity
Given the technical difficulties with accurately identifying password sharing — and the operational overheads associated with manual outreach and mitigation tactics — some publishers opt to view password sharing as a growth opportunity rather than a threat.
As outlined above, publishers must weigh a range of variables when making such a determination, including the nature of their content and audience, price point, and more.
Here are some effective tactics for using password sharing to grow subscribers and recover potentially lost revenue and data.
Group subscription leads
While password sharing can result in lost revenue, it’s also a strong signal that there is demand for a publisher’s content. In many cases, subscribers do not purchase a subscription with the intent of sharing their account with multiple users (except when such intent is clearly telegraphed by the use of role-based email addresses). If given the benefit of the doubt, subscribers are likely to have signed up, seen value in the content and felt compelled to share it with others.
The most egregious or suspicious accounts, therefore, present strong opportunities for upselling to group subscriptions or, as is more common in B2B settings, potentially lucrative company-wide licenses.
Lists of accounts deemed highly likely to be password sharing can therefore represent powerful sales tools and highly-qualified leads for sales teams. Outreach to such users may mention suspicious activity, or might instead focus on the fact that they’re being offered an exclusive and highly-attractive discount on a group subscription by virtue of being a highly engaged reader or “power user.”
Once again, the personalized touch can work well in this scenario. For publishers with sales teams, lists of suspicious accounts should represent an appealing opportunity. For smaller publishers, direct outreach from editors can prove particularly effective.
Granting “bonus” accounts
Those publishers that suspect — or have come to expect — a high level of password sharing might consider offering subscribers the ability to share one or more complementary accounts at no extra charge. This ability can be publicized in marketing materials or at the point of purchase and can either be extended to all subscribers, or targeted more specifically to those accounts suspected of password sharing.
The bonus account tactic can have four key benefits:
- Recovers first-party data that would otherwise be lost, such as names, contact information, job titles, etc.
- Avoids skewing of behavioral data, since users will use independent accounts that reflect their own specific behaviors and interests.
- Enables highly qualified leads to sample subscriber-only content.
- Gets more users into the sales funnel, with the ability to gauge their interests, the value they’re extracting from the product, and the powerful option to market to them directly via email.
The bonus account tactic can prove particularly useful for publishers that see particular value in first-party audience data, and/or have relatively low-priced subscription products and other revenue streams. If they’re unable to recover lost revenue in the form of subscription payments, they can at least recover valuable data and, perhaps, the opportunity to cross-sell other products.
Whether a publisher has a formal referral program or not, offering suspected password sharers discounts for referring other subscribers can prove an effective method for curbing sharing behavior in the first place.
A password sharer might be offered an entirely free subscription for referring three other paying subscribers, for example, or might instead be compensated directly for every new subscriber they refer.
Password sharers are often viewed as a thorn in publishers’ sides, but with the right incentives they can be transformed into a highly effective referral engine.