> For the complete documentation index, see [llms.txt](https://docs.toomuchmedia.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.toomuchmedia.com/nats-admin/members/login-protection/password-sharing-prevention.md).

# Password Sharing Prevention

*Article Topics:* [*Members*](/getting-started/common-topics/members.md)

This feature identifies and prevents password sharing by monitoring member login patterns. It automatically restricts account access when a member logs in from too many unique IP addresses within a short period.&#x20;

## How it works

Every time a member attempts to log in via [OpenID Connect](/nats-admin/members/further-reading/openid-connect.md), NATS will perform a protection check. If a member is on the **Login Protection Whitelist**, the automated checks are skipped, and the login proceeds.&#x20;

If the number of unique IP addresses (including the current one) exceeds the number inserted into the Allowed IPs Count setting, the member is automatically added to the **Banned List**.&#x20;

<figure><img src="/files/Gr87OA9s0h9qmx11E4UR" alt=""><figcaption></figcaption></figure>

Banned members are denied access to the site, and any existing sessions/tokens for the member are immediately invalidated. The member is presented with an error message explaining the restriction.

All denied attempts are recorded and can be viewed in the Logins tab for that particular member in the Member's Admin.

<figure><img src="/files/uSFr4mgHyf0bhSCuskps" alt=""><figcaption></figcaption></figure>

## Managing Protections

NATS Admins can manage these protections globally in the Configuration Admin -> Surfer -> [Member Login Log](/nats-admin/configuration/configuration-overview/surfer.md#member-login-log) section, where the following settings are available:

| Setting                                     | Description                                                                                                                                      | Default         |
| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | --------------- |
| `MEMBER_LOGIN_PROTECTION_BAN_HOURS`         | Duration of the automatic ban. Set to `-1` to disable the feature, `0` for permanent bans, or a positive integer for a specific number of hours. | `-1` (Disabled) |
| `MEMBER_LOGIN_PROTECTION_ALLOWED_IPS_COUNT` | The maximum number of unique IP addresses a member can use within the scan window before being banned.                                           | `5`             |
| `MEMBER_LOGIN_PROTECTION_SCAN_WINDOW_HOURS` | The time window (in hours) to look back when counting unique login IPs.                                                                          | `24`            |

### Member Banned List&#x20;

The Member Banned List contains a list of members who are currently restricted from logging in.

Members are added to the Banned List in two ways:

* Automatic Bans: Includes reasons such as "Logged in from more than 5 unique IPs within 24 hours."
* Manual Bans: Admins can explicitly ban a member for any reason.

Admins also have the ability to remove a ban to restore member access before the ban naturally expires.&#x20;

### Member Whitelist&#x20;

The Member Whitelist contains members who are exempt from automated password-sharing checks.

Members can be added to the Whitelist permanently or for a specific duration by an admin. This can be particularly useful for trust members who may naturally rotate IPs frequently, such as mobile users, users on enterprise VPNs, or test accounts.

## Recommended Practices

### Initial Setup

Start with [**Member Login Protection Ban Hours**](/nats-admin/configuration/configuration-overview/surfer.md#member-login-log) set to a low value, such as 1 or 2 hours, to minimize the impact of "false positives" while monitoring effectiveness.

### Monitoring

Regularly check the **Login Protection** section of the Members Admin to identify patterns and whitelist legitimate power users.

### Whitelisting

If a member contacts support regarding a ban, verify their usage pattern. If legitimate, add them to the Whitelist to prevent future interruptions.&#x20;

## Related Articles

{% content-ref url="/pages/AYoXjX9qtkNnBqrBlNvW" %}
[Login Protection](/nats-admin/members/login-protection.md)
{% endcontent-ref %}

{% content-ref url="/pages/btL1SEC1Ky1YveJMrsyv" %}
[Member Management](/nats-admin/members/member-management.md)
{% endcontent-ref %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.toomuchmedia.com/nats-admin/members/login-protection/password-sharing-prevention.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.