Is the 'Keep Me Signed In' Option Immune to Password Changes?

by

If you check Keep Me Signed In when signing in to an online service, the idea is that you don't have to specify your password again... unless you change your password.
Question:

I recently saw that if I checked the Keep Me Signed In box in Hotmail,
then did not sign out, I would stay signed in indefinitely, even if I changed
my password using another computer. Every time I would sign in using the
previous computer it still signed in, as if Hotmail had updated my password
automatically on that machine. My question is, did this happen even when
Hotmail had two separate options for Remember Me and Remember My Password?
Because I checked Remember My Password on a cousin’s computer and then changed
my password later, because I moved to a different country. Does that mean my
cousin and anybody who used his computer had access to my emails?

What you’re seeing is not what I expect.

Regardless of whether you’re using Hotmail or some other service, I’ll
describe what I believe should happen that keeps you secure, as well as the
difference between those two Remember options on many sign-in screens.

And of course, I wouldn’t be doing my job if I also didn’t suggest what you
should do differently in the future to remain secure.

]]>
<![CDATA[

Remember Me versus Keep Me Signed In

Many services that require you to sign-in often offer one or two options to
help you on your return visit.

Given that most services require two pieces of information (your sign-in ID
and a password), the options correspond roughly to those two items.

Remember Me simply remembers your sign-in ID. Even if you
sign out, when you return, the sign-in form would have your sign-in ID already
filled in for you.

“Signing in to an account on any computer that isn’t
yours runs some serious security risks.”

Keep Me Signed In (occasionally labeled some variation of
Remember my Password) in a sense remembers your password. I say “in a sense” because your password isn’t really remembered – at least not for systems that are even halfway secure. Rather what’s remembered is the fact that you’re
signed in and that the sign-in can persist indefinitely or until you sign out.
You might be able to completely reboot your machine and upon returning to the
site, find that you’re still (or automatically) signed in.

Both of these techniques rely on cookies. A cookie is a small piece of
information associated with a particular service that’s stored on your computer
and sent along each time your browser requests more or new information from
that service. One might be a flag that says “SigninID=yourID” – the Remember Me part of all this – and another might be something like “SigninExpires=never” – the Keep Me Signed In part. (The tokens that I use are purely examples and not meant to represent exactly what’s stored in the cookies – typically, it’s much more obscure.)

The “SigninExpires” example is an interesting one because something like it
is necessary to prevent you from needing to sign-in for every single page you
view – the site needs to know that you have signed in and don’t need to sign in
again – thus, a concept of “SigninExpires” allows the system to keep you signed
in as you move from page to page. If you leave the site, the sign-in might
expire after a few minutes or a few hours; at which point, you’d have to sign in
again.

If you specify Keep Me Signed In, then the length might simply be increased to something large – perhaps weeks or months – or set to a value that means forever.

Password changes on one machine while signed in on another

So, you sign-in on machine A and say Keep Me Signed In.

You then move to machine B where you change your account password.

What should happen is that the next attempt to access the site from machine
A should prompt for a password.

Simple as that. And it should happen whether or not you said Keep Me Signed In.

If it does not then, in my opinion, the site’s security isn’t up to par.
Their approach is defensible (you did say to stay signed in, after
all), but for just the scenario you outline, it’s not really secure to do
anything less than invalidate that sign in when the password changes.

What you should have done

It probably goes without saying that you shouldn’t use Keep Me Signed In on any computer that isn’t yours.

Ever.

You’re simply asking for problems.

If using other people’s computers is something that you do often, what you should
really do is use two-factor authentication; or as in Hotmail’s case, use a “one
time code” to sign in.

In both cases, this is something that you need to set up before you need it.

In one case, it simply means that your password is not enough to sign-in –
you also need a second form of authentication, such as a code provided by the
service via another channel, like your mobile phone. In the other case, you don’t
use your normal password at all, but rather use a special code or password that
works exactly once.

And always sign out when you are done.

Always.

Signing in to an account on any computer that isn’t yours runs some serious
security risks. Between keyloggers (intentional and otherwise), or just
snooping around in the browser cache after you sign out, you’re really trusting
the owner of the computer – and everyone else who uses it after you do – to be honest and upstanding.

Sadly, as we know all too well, that’s not always a reasonable assumption,
and hence, we need to take steps to protect ourselves.

At a minimum, keep your usage of Keep Me Signed In to a minimum and only on your own computer. Having to sign in every so often is a minor inconvenience compared to having your account hacked, or worse.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

6 comments on “Is the &apos;Keep Me Signed In&apos; Option Immune to Password Changes?”

  1. How do I enable cookies so I can use the “keep me signed in option?”

    It depends on what browser you use, but it’s generally enabled by default.

    Leo
    29-May-2012
    Reply

  2. I don’t understand how hackers can try gazillions of possible passwords until they break into your account. Don’t web sites lock you out from any additional log-in attempts…at least for a while… after you’ve made several unsucessful tries? If not, why don’t they?

    Reply

  3. Leo,

    I enjoyed your article about “Keep Me Signed In”. It reminded me of something that goes on in the credit card industry.

    Let’s say you buy a trial subscription to something with the option of subscribing indefinitely. An unscrupulous vendor will submit your credit card info with the “Recurring Charge” option selected. If you later decide to change your card number to avoid future charges from the unscrupulous vendor, your credit card provider will, as a convenience to you, provide the vendor with the new card information!

    Using a “Secure Online Credit Card Number” (a number assigned to a single vendor) prevents this, but some vendors (such as Paypal) won’t accept the secure numbers.

    Reply

  4. If you request your browser, say, chrome, to remember user name and password the same can be reversed (In Chrome, Click spanner–> settings–> advanced settings–>passwords and forms–>manage passwords).

    Reply

  5. I tell my customers an easy to crack password is like locking your screen door when going on vacation, without locking up the wood and steel doors in the house.

    Reply

  6. Did someone mention “easy to crack password”?
    How would a novice or any other person for that matter know what a good password is?
    Gee, that’s easy. Go to:

    https://www.grc.com/passwords.htm
    GRC provides a great password generator.

    On the same page look at the upper page to find
    “Password Haystacks” [IN BOLD RED]
    https://www.grc.com/haystack.htm

    Here, GRC features a new approach to generating super-secure passwords and a brute force password search calculator! Try your existing password here.

    I have a desktop link to the password generator for quick use. I’ll copy/paste this to a separate page so I don’t forget it, and that page is encrypted [truecrypt].

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Additional information is available at https://askleo.com/creative-commons-license/.