Does the Browser Store Passwords in Cookies?

It’s time again for one of my most common answers: it depends.

It depends, mostly, on what webmail service you’re using.

Regardless, you may very well be at risk – not only for web mail, but any account that requires you to login.

]]>
<![CDATA[

First let’s be clear about something – it’s the web site you’re visiting that determines what is and is not saved in cookies. IE
actually has nothing to do with the decision, other than providing the mechanisms to store and retrieve cookies.

Since it’s the websites decision, the answer of exactly what gets stored in a cookie will vary dramatically from site to site.
Each will probably save something very different than all the others.

In general, the strictest answer to your question is no, websites do not actually store your password in the cookies that they
place on your machine. That would be fairly poor security, as then anyone with access to your machine could examine the contents of
the cookies and retrieve your password. I’m sure it’s been done, but most of the commercial services have hopefully moved to more
secure approaches.

At a minimum, the password is hashed or encrypted, meaning that the cookie makes sense only to the service in question, and can’t
be deciphered. Better yet, the cookies might contain some other kind of data not related to your password at all, but related to
information contained on the service’s computer. For example, the cookie might contain the number 12, and then the service can look
up in its table of currently logged in users entry number 12 and determine if you’re logged in, how long you’ve been active, and
whatever else they need to know to provide their functionality.

But you may still be at risk.

The information that’s kept in cookies or wherever is used to keep you logged in – so that you don’t have to login to see every
page, every message, every click in your webmail program. Even if you browse to a different site when you return it’ll probably
remember that you’re logged in for a while.

And there’s the problem. How long’s “a while”?

You can guess the answer: it depends.

Some services (banks in particular) keep this period rather short. Others seem to keep it fairly long, presumably for your
convenience. That means, however, that once you’ve viewed email on someone else’s computer they may be able to return to your email
after you leave.

Unless, that is, you do one thing when you’re done:

Sign out of your email.

Signing out removes the cookies or otherwise invalidates the information that says you were logged in. If you visit that site
again, you’ll have to login again.

Technically you could also clear cookies, but that shouldn’t be necessary.

However, there’s still one other area that catches people by surprise: remembered passwords.

If the browser is configured to remember passwords, and you accidentally allow it to remember your password when you login to
your email, then that password can be trivially
recovered by anyone who has access to that computer.

No matter what you do, or how you do it, logging in to your accounts on someone else’s computer always calls for extra caution.
In fact, it’s something that I simply avoid if at all possible.

There are just too many things that can go wrong.