Making life easier for you.
I hate to disappoint, but a service remembering you on your computer doesn’t eliminate passwords.
There are two primary techniques used to remember or recognize you on a specific computer: cookies or passkeys.
Become a Patron of Ask Leo! and go ad-free!
Remembering you
Websites remember that you’ve previously signed in by using cookies or passkeys. In each case, you have to have signed in once using some other form of authentication such as a password, emailed links, or texted codes.
Cookies
The first time you sign into a website like PayPal, you still have to provide your password. But after that you may not, or may not have to for “a while”.
The “trick”, if you want to call it that, is that when you signed in successfully, paypal.com placed a cookie1 on your machine that says, “This account has already signed in”, and doesn’t ask you to sign in again. For “a while”.
This is more than a convenience. This is what keeps you from having to sign in over and over again as you move from page to page within a site.
This is also why you often need to sign in again after clearing cookies: you’ve removed the information saying you’re already signed in. Signing out also invalidates the cookie.
Cookies do expire after a certain amount of time. The website controls the length of time, but it might be as little as an hour or two to several days or weeks or even years. The clock may or may not be reset every time you access the site — meaning the time could be based either on the first sign-in or on your most recent activity. Once the time has passed, you’ll be asked to sign in again.
With your password.
Passkeys
Passkeys are a new technology that in a sense do the same thing but in a significantly more secure way. Here’s how passkeys work:
- You provide your username to the service you’re signing into.
- The service sends a code or a link to your email address or phone.
- You enter that code or click that link to confirm you are the account holder, and you’re automatically signed in.
- The service then creates a passkey, which is securely stored on that device.
Future sign-ins on that device now rely on the passkey to both identify and authenticate you. “We recognize you on this computer” is one possible message when you return to the site sometime later.
You still need to sign in once on each device from which you want to access the account. That may involve a traditional password, particularly as we transition from passwords to passkeys on existing services.
Using passkeys, it’s possible the account could be completely password-free after that.
Do this
Obviously, continue to use proper password hygiene when passwords are used.
Particularly if you’re using a shared computer, be sure to sign out of your important accounts when you’re done. This applies to both passkey and cookie-based approaches to remembering you.
Interested in more answers like this one? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Or cookies. Exactly how websites implement this is completely up to them, and a variety of techniques are used, I’m sure.
Come on Leo! Be honest with your readers! You know as well as I that one of the primary purposes of cookies is so that websites can track you and your browsing activity! The ultimate end game being of course increased revenue. That’s what has recently motivated — apparently via legislation in some cases — that websites give you the option to accept no cookies or only accept “necessary cookies” — where “necessary” is of course in the eye of the beholder. Don’t want to be tracked? Set your browser to delete, i.e. not save, cookies during your session. This can be in most browsers like Edge or Firefox … if indeed it works.
It is not one of the primary purposes, no. That it’s being used for that is not why cookies exist. (And, indeed, the fact that tracking is happening without cookies at all speaks to their value, or lack there of. They were just the easy way.)
Delete cookies, and you’ll have to log in for each webpage you visit. That might sound OK, but without cookies, navigating to the next page on a website will require a new login. Deleting cookies after closing your browser is not so bad. It’ll block a few targeted ads, not all, but it’s pretty much useless.
I think it is appalling that financial institutions and online stores, etc. send emails with a link to view statements or messages, etc. Usually the link is a long one with slashes here and there followed by gibberish so that you can go directly to the information. I always go directly to their website (easier if you have put it in the URL (website address) in your password manager). It is too easy for a spammer (crook) to make the link look like it is legit, with perhaps one letter changed.
Yes, you’d think they would know better.Seems they value convenience over security.
The scariest one is a bank. Pull it up in Google the password and my name is preloaded. I have signed out multiple times. Cleared cookies signing out before and after. It still displays. Headed to their real office soon.
That’s not the bank doing it. It’s either your browser or your password manager auto-filling the fields for you.