Is It Safe to Let Websites Remember Me?

Question:

Leo, you’ve made a big deal about how insecure it is for an internet browser to remember your login information because it can be viewed by anyone using that browser. However, what about websites that offer to remember your login information for you? An example of this is Google. When you are logging in you can simply check a box that says, “Stay signed in” and unless you actually physically log off, you’ll remain logged in. If you don’t check that box, simply closing the browser will log you off.

Let’s say I’m taking my neighbors laptop on a business trip for several days. If I stay logged into Google with the “stay logged in” button for the duration of the trip and I physically log off before I return the laptop, will my neighbor have access to my account information like he would if I had Chrome remember any of my passwords? This is assuming that I don’t delete any sort of browser information. All I do is log off.

The good news is that as long as you remember to log out, you’re relatively safe. The bad news (besides my having to use the word “relatively”) is of course what happens when you forget to explicitly log out.

Remember me

“Remember me” actually works a little differently than having the browser remember your password, but basically it’s still the browser that’s doing the remembering.

When you say, “remember me”, the website in question (Google in your example) leaves a cookie on your machine that basically says, “You’re logged in.” In fact, that’s why after clearing cookies, or using a tool like CCleaner for the browser itself, you suddenly find you have to log in to all of your previously remembered websites.

There are various techniques that site developers use to decide what to put in that cookie that allow them to remember you and how long that cookie should last. Cookies can persist across browser runs. Cookies can expire after a certain amount of time, or not.

Stay Signed InAnd there’s no standard about what’s actually put inside that cookie except that it’s almost certainly not your username and password1. Usually, it’s some kind of random token that has meaning only to the service in question. To you and me, it’s a random number. To Google, for example, it’s a token that says “This account is currently logged in.”

Signing out

What’s important here is that when you sign out, that cookie is either removed or updated to reflect the fact that no one is signed in.

When you return that laptop to its owner, he can’t just go into Gmail, and for example, “be you”. He also can’t go spelunking in the cookies or somewhere else to find out sensitive information like your account ID and password. It’s just not there.

You’re correct  — that is very different than having the browser save the password for you — because in that scenario, the browser literally saves your account name and password. In a case like this, where you’re simply saving your login state, having Gmail or the browser remember this cookie — that information is simply not on your computer.

Of course, if you forget to log out, then yes, your friend could go into Gmail and he’d be logged in as you. I actually see this happen a lot on shared computers. It’s risky, because the next person to come along could end up hijacking your account — or much worse, I suppose.

So, by all means, remember to log out, and by and large, you are relatively safe.

Relatively, by-and-large…

I did say relatively, and I need to explain that, because there are no absolutes here.

There’s more to using a browser than just signing in and visiting pages. You’ve probably heard of things like the browser cache, which the computer owner could go and examine. Things like https pages aren’t supposed to be cached, and I would assume webmail services would rely on that. But to go down the extremely paranoid route, things like the cache and cookies are just files on your computer; files that are deleted when they’re no longer used. And of course, under certain circumstances, we know that deleted files can be recovered.

And therein lies the risk. If the computer owner is so motivated, and technically capable, he could go spelunking around on the hard disk of the computer you had just  been using to see what you left behind. And that’s without even bringing up the concern that perhaps the computer has spyware installed on it. (I’m assuming you trust the owner of this computer not to do something like that.)

If you want to be really, really safe, you need to do a couple of things before you return the computer.

  • First, clear everything in the browser: the cache, the cookies, whatever. Use the browser itself; use CCleaner, or whatever makes sense to you.
  • Second, run a free space wiper. Again, CCleaner has one of those.

Naturally, like I said, it still depends on how much you trust the person who is loaning you their computer, and of course it also is a function of the sensitivity of whatever you actually used it for, but in general as long as you remember to sign out you’re relatively safe.

And if “relatively” isn’t really good enough? Well then you need to start looking at things like clearing the browser’s free space.

Or, perhaps even better, perhaps you shouldn’t borrow somebody else’s laptop.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Footnotes & references

1: Well, it better not be. That would be a disastrous security decision. Rest assured that sites you care about are not doing this.

6 comments on “Is It Safe to Let Websites Remember Me?”

  1. Leo,
    I have often wondered whether or not clicking the red X in the right corner constitutes as logging off a website.

    Reply
  2. I’m not trying to be facetious, but if I were taking MY NEIGHBOR’S laptop on a business trip for a few days, I’m not sure I would expect much in the way of security.

    Reply
  3. Is there the risk of someone intercepting the cookie with the token and then use it log in on another machine?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.