Making life more difficult for thieves.
It dawned on me that I left out something worth exploring from my recent article on preparing technology for travel.
Cookies.
Specifically, one step you can take to protect yourself a little more should you lose your laptop while you’re on the road.
Become a Patron of Ask Leo! and go ad-free!
Why you should clear cookies when travelling
Cookies are used to avoid signing in over and over to the online sites you visit. Unfortunately, if your computer is stolen, the thief may be able to access your accounts as well. Clearing cookies — either using a third-party tool or browser options — can prevent this from happening.
Cookies?
Cookies are small packets of data websites leave on your computer when you visit them. Those packets of data are sent back to that site the next time you visit.
While they get a lot of publicity related to advertising and tracking, they have a much more useful purpose that you really do want: staying signed in.
When you tell a website to remember you, the site does so by leaving a cookie on your machine that indicates you’re signed in.1
And therein lies a security risk.
Thieves love it when websites remember you. It’s a simple scenario: a thief gets your machine, they’re somehow able to sign in to Windows,2 and now all of a sudden they have access to everything for which you’ve said “Remember me”.
The solution? Clear your cookies if you’re taking your machine into what we might consider a risky environment — like when you travel.
Clearing cookies: technique 1
My preference is to use a tool that clears all the cookies in all the browsers I have installed at once. I do this the morning I depart on my trip.
I’ll use CCleaner.
CCleaner cleans a lot more than cookies, but the reason I prefer it is that it notices all the browsers you have installed and clears the cookies for all of them at once.
As always, when installing third-party tools, follow the installation carefully and turn down any and all offers for software you don’t need. The free version of CCleaner is all you need. (You can also turn off the option for “Smart Cleaning” and “Keep CCleaner updated automatically”, both of which leave a small program running at all times when enabled.)
Clearing cookies: technique 2
If you only use one or two browsers, it may be easier just to have the browser clear cookies itself.
In your browser, type CTRL+SHIFT+DEL to bring up browser-clearing settings.
Different browsers display this option differently, but the concept is the same: instruct your browser to clear all cookies. (For “All time”, if that’s an option.)
Clearing cookies: technique 3
Your browser begins accumulating new cookies as soon as you start signing into your sites and services again, so you need to tell it not to while you’re traveling.
This setting may be called different things in different browser, so you’ll need to search your specific settings for it.
With this option on, cookies are cleared automatically when you close your browser.
This is perhaps the most secure setting of all. As long as you always close your browser, you’ll know that cookies have been cleared.
It’s also the most annoying.
Clearing cookies: technique 4
I have to include this for completeness, but it’s not a technique I recommend at all.
Always sign out of every site and service you use.
This prevents the service from being automatically signed in the next time you visit. It’s functionally equivalent to having deleted that service’s cookies.
I don’t recommend it for one important reason: it relies on the most error-prone part of the system.
You.
It relies on you remembering to sign out all the time. That’s not realistic.
The annoyance of clearing cookies
Additional security comes at a cost. The cost here is simple: after clearing cookies, you need to sign in to every service the next time you visit.
That’s the point. A thief would be unable to do so, and thus would not have access to your accounts.
But you have to sign in. Again. And again. And again.
Do this
It’s not a popular security technique because of the annoyance factor, but I strongly advise you to consider some form of cookie cleaning before you travel.
My compromise is usually to clear all cookies using CCleaner before I leave. Then I’ll pay attention to which sites I need to sign in to, and decide on a case-by-case basis whether or not to take further action.
Something else to consider: for more tips and advice like this, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Technically, that cookie already exists, because it’s what prevents you from having to sign in over and over again as you move from page to page. “Remember me” really just means “remember me for a longer period of time”.
2: Yes, there should be additional obstacles to prevent a thief from getting this far. And yet, it’s also very common that there aren’t, or that some are somehow bypassed. “Sleep” mode is just one example.
If you have full disk encryption (Bitlocker, VeraCrypt etc.) running and you shut the machine down (not Sleep), it wouldn’t be necessary to clear cookies as the cookies would be encrypted along with everything else.
I’d never take my laptop out of the house without whole disk encryption enabled and the computer fully shut down. Leo’s second footnote is very important. Don’t take your computer out of the house unless it’s fully shut down.
Some good thoughts here. But doesn’t really work for me. I don’t believe that everyone needs a cellphone and I am one of those people without one. I’m just not that important. With so many websites pushing 2 factor authentication, it gets tricky when you travel without a cellphone. Some websites will send the code via email (like Microsoft). Others insist that it must be a text or voice message to a phone number. When I am away from home, I can’t log in to those phone only websites. Fortunately, many of them allow me to say that my laptop is a trusted device and will set a cookie to tell them not to send a code. I’ve run into banking problems while travelling before and couldn’t log in to deal with the situation because I ran CCleaner before backing up my laptop before travelling.
I don’t disagree with clearing the cookies. There’s a lot of less significant websites, most of which I don’t visit while travelling. But I will always log in to my bank’s website after clearing my cookies to make sure that the trusted device cookie gets set before I travel. I’ve learned the hard way.
And to be clear, I’m not suggesting everyone needs to clear cookies, or all cookies. Just that it’s something to consider depending on your personal situation.
That’s one advantage of living in Europe, you can get a cheap phone with a pay per minute prepaid SIM card. If you don’t use it to make calls, you pay nothing, and it’s free to receive texts. I pay $8 a month for unlimited calls and texts and 3 GB internet.
This article suggests a feature that could be added to a browser: encrypting cookies! When enabled, this (purely hypothetical) feature would encrypt all of your cookies using a secure algorithm & passphrase. While enabled, you would need to supply a master passphrase for the browser to be able to access any of your cookies; at the end if the browser session, the cookies (possibly amended) would be resaved and re-encrypted. Disabling this feature would (permanently) decrypt all of the cookies.
“Wait,” I hear you ask, “What’s the point? How is supplying a master passphrase any different from manually signing into a site?”
ANSWER: Well, none at all… if only one website is involved. In that case, I admit it’d be pretty pointless.
The key thing is that such a master passphrase system would make all cookies available simultaneously, enabling you to browse normally and freely among multiple sites during that particular session.
Hmmm…
Integrating a custom-made (or adapted) browser into a password manager would probably accomplish essentially the same thing.
Any thoughts?
Whole disk encryption would do what you are suggesting. Everything, including cookies, is encrypted when you are not using the machine. Be sure to shut down your computer when you finish your work. Sleep will leave your files unencrypted.
This would be a problem with phones, as it is necessary to keep them in sleep mode to use them as phones.
I would probably get a phone if it were that cheap in Canada. But it’s not and since I’m just not that important, I have better things to spend that money on.
Hi Leo can I ask let’s say if you are traveling to a place like Korea, do I have to clear the cookies on my phone or not at all? Because I’m not bringing my laptop along