It depends. Who do you trust?
It depends on the physical security of your computer.
Here’s what you need to consider.
Become a Patron of Ask Leo! and go ad-free!
Signing out
As long as no one else can access your machine while you’re not around — or those who can are trustworthy — then staying signed in is generally safe. If you’re not certain or know that others pose a risk, sign out before you walk away.
Always sign out?
I don’t.
I’m signed in to email — and all my other accounts, for that matter — all day long. I’m probably signed in to my Gmail accounts for days at a time across multiple machines here at home. The same is true for my Microsoft account.
I can make some assumptions about my machines, however, that allow me to feel safe doing so.
Someone else
Could someone else walk up to your computer and start using it? More pragmatically, of the people in your home who can, would they cause trouble by poking around in your signed-in accounts?
If the answer is yes, it’s a good idea to sign out when you’re done. At least sign out when you know you’ll be stepping away for a while.1
On the other hand, if you know no one would try to do anything inappropriate, there’s really no need.
It’s the latter scenario at my house: no one else is going to cause problems.
Someplace else
The obvious counter-example is public or shared computers.
This is the clearest example of other individuals accessing the same computer you’ve used. If you walk away leaving yourself signed in, someone else could compromise your account or at least cause trouble.
Closing the browser may not be enough. Recent reports2 seem to indicate that Microsoft is doing away with the “Stay Signed In?” question, always assuming you want to stay signed in. This means that anyone walking up to the computer and firing up the browser might find themselves still signed into your account.
There are two ways to avoid this:
- Always sign out.
- Only use an InPrivate or Incognito browser window and make sure to close it when you’re done.
It’s mostly about physical access
It all comes down to how much you trust the people with access to your computer when you’re not around.
If you trust them, great. Don’t bother signing out.
If you don’t, can’t, or just aren’t sure, then signing out is the safest thing to do.
Do this
Be sure to do all of the other things it takes to keep your computer safe on the internet.
But if you’re doing that, and you don’t have somebody who’s going to cause trouble while you’re not around, I wouldn’t worry.
That’s how I operate.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: Or lock your machine.
2: There’s some confusion. The Microsoft support article they point to doesn’t contain what the news reports say it does. My guess is that Microsoft may have made a statement to this effect and then walked it back. Nonetheless, we can at least assume it’s a real possibility.
I do NOT stay logged in to sites. I do not like google tracking my internet habits so I stay logged out of my google account until (and only until) I need to be logged in for a specific reason. Likewise for email. I have an email account with my ISP as well as accounts on outlook.com and gmail. I have Thunderbird set up with connections for each and it periodically checks for new messages, and downloads them to local storage. If I lose my internet connection for any reason I still have access to my archived messages. Also, I have no faith in online storage/services. Services can go away without warning, storage quotas can be downsized, mail systems can be hacked, and terms of service can be arbitrarily changed. For the record, I also do not use an online password manager (such as LastPass). KeePass serves all my needs and runs/stores locally.
I have an email address with my ISP but I’ve never given it to anybody. In fact, I don’t even know what it is. My first email address was with AOL. Later, I had another ISP supplied email address and I lost access each time I switched providers. I then heard about Yahoo’s email which promised email for life and signed up for that. I still have that account after over 20 years. I use it for newsletters etc.
As for cloud storage, I only use it for syncing my data among my computers. I have backups of all the synced machines.
Leo has recommended using Thunderbird to back up your emails.
used to have thunderbird, it has its capacity limits
Thunderbird has no capacity limits. It’s only limited by the free space on your drive.
Is simply closing down the browser a secure way of logging out of potentially multiple accounts?
Nope. Many services will come back in the signed-in state. Not all, but some. ¯\_(ツ)_/¯
Be very careful when using a library or other public computer. In fact it’s better to avoid public computers as much as possible. This incident happened before smartphones:
I once went to a public library to check my email. The session timed out while I was still logged in. I asked the attendant if that would log me out of my email’s website. He said it didn’t (I knew it wouldn’t). I asked him to re-enable my session, and it opened directly into my email account page. The next person to use the computer would have had access to my email account.
That depends on the website you are logging into. Some place a cookie to keep you logged in when you return to that site. For example, Google and Facebook keep you logged in forever. Others log you out automatically. Others have a cookie that expires after a time and you have to log in again. Many give you the choice with a “Keep me logged in”, “Remember me”, or similar checkbox on logging in
Your comment touches on my principal concern about staying logged in: that is, what are the systemic risks, as opposed to the incidential risks. My concern is less that someone will have physical access to my device, but more that what someone, or something, will do to my logged in account when I am not using it, principally bots that are looking for logged in accounts with which to do mischief. Granted, I’m not certain if there are bots that in fact ARE looking for logged in accounts, but I’d rather not give them the opportunity. What do you think? Too much belt and suspenders? I’m open to ideas : )
The chances of a remote attack are, well let’s say, remote 🙂 possible but very improbable. And if that does happen, you have much more to worry about than someone accessing one open account. If they can get into your system remotely, they can steal all of your accounts, data, and more.
Thanks for that! I had a sneaking suspicion my concerns might be a TAD excessive, but I didn’t have the commitment to verify their validity, . . . so I didn’t.
Your informed comment gives me the confidence to return those suspenders back to the mothballs where they belong : )
Thanks again!!
Another thing to be conscious of is your password management program if you use one. I usually have LastPass signed in and ready to supply any password I need for any site. If I take my personal laptop to the tech shop, or give my work laptop to the IT Department, they can access everything through LastPass if I forget to sign out from the extension. I don’t think I’ve ever forgotten, but even if I did, the sensitive sites such as banking and shopping are doubly secured by setting LastPass to ask for a Password Reprompt before entering the login credentials on those pages.
I believe in most you can also configure an amount of time it remains logged in.
Leo, you wrote:
“At least sign out when you know you’ll be stepping away for a while.”
An alternative to this might be to simply lock the screen (CTRL-ALT-DEL, then click “lock”). Yes, you do have to log back into your computer, but the advantage is that your web session with whatever site you’re on remains active and is not interrupted; you can pick up right where you left off instead of having to begin a whole new session.
Normally, and just like Leo, I stay logged in. For example, I never log out of Amazon unless I have to; I log in with the “keep me logged in” option checked, and when I’m done with them for the day, I don’t log out, but merely close the browser.
However when, every few months or so, my Mom hosts a meeting of her Sci-Fi club and there are various people floating about the house, I’ll lock the screen before I leave the computer (say, to use the toidy). It’s not even so much an issue of distrust of those present, as much as a desire to “keep honest people honest” by removing a completely unnecessary temptation. 🙂
I used to close the lid of my laptop to put it to sleep when I shut down for the night. Then the next day, I’d get a message that the backup wasn’t performed. I’ve switched to locking it via the Windows key + L so the background processes can be carried out.
You can change what closing the lid does. Click the Start Menu button and type “LID” and choose “Change what closing the lid does”. There’s options for what to do when you close the lid with the machine plugged in, or on batteries. I recommend letting it go to sleep when you close the lid on batteries. But the plugged in setting can be changed to “Do nothing”, which will keep your computer running when you close it, so your backups will happen.
Personally, I always lock the machine when I step away, at work or home. I live alone, but life is unpredictable and I’d rather enter my Windows PIN# 100 times a day than have my identity stolen because someone broke in to steal my TV and found my computer unlocked.
Lock the screen. It’s not just humans you have to protect against, a cat can cause all sorts of mayhem tromping around on your keyboard when you’re not looking.
On my laptops I set the “What happens when I close the lid” setting to “Do nothing”. This works for me because I found a small and free app that locks the lid for me when I close it, on Cnet’s Downloads[dot]com (https://download.cnet.com/lid-lock/3000-2094_4-76464070.html) website. It hasn’t been updated since 2015, but it works as expected on my Lenovo Legion 5 laptop under Windows 11 Pro.
This feature should be built into Windows by default, and be available as an option under the “What happens when I close the lid” in the Settings app, but Microsoft hasn’t seen fit to make it so. I made a suggestion to this effect when I was an insider on Windows 10, but it has never been added. I suppose Microsoft doesn’t think it’s worth bothering with. It was one of the many reasons I quit the insider program.
Ernie
Isn’t that more-or-less redundant with setting “require password on resume”? That’s effectively a lock on close without additional tools. With that in place I can see Microsoft not electing to implement your solution.
I have to admit that I did not read all the comments here, but when I switch on my laptop, I have to use my pincode.
So I always switch off my machine after having used it.
But, as I said, this “solution” probably has been given here.
Paul
Netherlands (the country which is always governed by a coalition of political parties, which is GREAT
What exacty do you want to do? Do you want to bypass the PIN? That’s not safe. or what?