Leo, you’ve made a big deal about how insecure it is for an internet browser to remember your login information because it can be viewed by anyone using that browser. However, what about websites that offer to remember your login information for you? An example of this is Google. When you are logging in you can simply check a box that says, “Stay signed in” and unless you actually physically log off, you’ll remain logged in. If you don’t check that box, simply closing the browser will log you off.
Let’s say I’m taking my neighbors laptop on a business trip for several days. If I stay logged into Google with the “stay logged in” button for the duration of the trip and I physically log off before I return the laptop, will my neighbor have access to my account information like he would if I had Chrome remember any of my passwords? This is assuming that I don’t delete any sort of browser information. All I do is log off.
The good news is that as long as you remember to log out, you’re relatively safe. The bad news (besides my having to use the word “relatively”) is of course what happens when you forget to explicitly log out.
Remember me
“Remember me” actually works a little differently than having the browser remember your password, but basically it’s still the browser that’s doing the remembering.
When you say, “remember me”, the website in question (Google in your example) leaves a cookie on your machine that basically says, “You’re logged in.” In fact, that’s why after clearing cookies, or using a tool like CCleaner for the browser itself, you suddenly find you have to log in to all of your previously remembered websites.
There are various techniques that site developers use to decide what to put in that cookie that allow them to remember you and how long that cookie should last. Cookies can persist across browser runs. Cookies can expire after a certain amount of time, or not.
And there’s no standard about what’s actually put inside that cookie except that it’s almost certainly not your username and password1. Usually, it’s some kind of random token that has meaning only to the service in question. To you and me, it’s a random number. To Google, for example, it’s a token that says “This account is currently logged in.”
Signing out
What’s important here is that when you sign out, that cookie is either removed or updated to reflect the fact that no one is signed in.
When you return that laptop to its owner, he can’t just go into Gmail, and for example, “be you”. He also can’t go spelunking in the cookies or somewhere else to find out sensitive information like your account ID and password. It’s just not there.
You’re correct — that is very different than having the browser save the password for you — because in that scenario, the browser literally saves your account name and password. In a case like this, where you’re simply saving your login state, having Gmail or the browser remember this cookie — that information is simply not on your computer.
Of course, if you forget to log out, then yes, your friend could go into Gmail and he’d be logged in as you. I actually see this happen a lot on shared computers. It’s risky, because the next person to come along could end up hijacking your account — or much worse, I suppose.
So, by all means, remember to log out, and by and large, you are relatively safe.
Relatively, by-and-large…
I did say relatively, and I need to explain that, because there are no absolutes here.
There’s more to using a browser than just signing in and visiting pages. You’ve probably heard of things like the browser cache, which the computer owner could go and examine. Things like https pages aren’t supposed to be cached, and I would assume webmail services would rely on that. But to go down the extremely paranoid route, things like the cache and cookies are just files on your computer; files that are deleted when they’re no longer used. And of course, under certain circumstances, we know that deleted files can be recovered.
And therein lies the risk. If the computer owner is so motivated, and technically capable, he could go spelunking around on the hard disk of the computer you had just been using to see what you left behind. And that’s without even bringing up the concern that perhaps the computer has spyware installed on it. (I’m assuming you trust the owner of this computer not to do something like that.)
If you want to be really, really safe, you need to do a couple of things before you return the computer.
- First, clear everything in the browser: the cache, the cookies, whatever. Use the browser itself; use CCleaner, or whatever makes sense to you.
- Second, run a free space wiper. Again, CCleaner has one of those.
Naturally, like I said, it still depends on how much you trust the person who is loaning you their computer, and of course it also is a function of the sensitivity of whatever you actually used it for, but in general as long as you remember to sign out you’re relatively safe.
And if “relatively” isn’t really good enough? Well then you need to start looking at things like clearing the browser’s free space.
Or, perhaps even better, perhaps you shouldn’t borrow somebody else’s laptop.
Leo,
I have often wondered whether or not clicking the red X in the right corner constitutes as logging off a website.
… so it depends on how the site and its cookies are set up. Some of them (like banks) log you out. Some give you a choice. Some seem to leave you logged in almost forever (like Facebook and Pinterest.)
It does not.
I’m not trying to be facetious, but if I were taking MY NEIGHBOR’S laptop on a business trip for a few days, I’m not sure I would expect much in the way of security.
Is there the risk of someone intercepting the cookie with the token and then use it log in on another machine?
Only for VERY poorly designed websites. So, in short, not really.