4 Replies - 1329 Views - Last Post: 25 April 2014 - 03:08 AM

#1 brep  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 23
  • View blog
  • Posts: 175
  • Joined: 26-August 11

"Remember me" option on account login a security risk?

Posted 20 April 2014 - 07:30 PM

Hey everyone,

So, I have been experimenting with web development for a little bit, and I recently have explored the concept of cookies. I have known for some time that most websites that enable the option of "Remembering me" when a user logs in use cookies to store the user's password. Isn't this a security risk, since a hacker could steal the cookies and find the user's password stored in them, thus enabling the hacker to compromise the user's account?

Thanks,
brep

This post has been edited by brep: 20 April 2014 - 07:31 PM


Is This A Good Question/Topic? 0
  • +

Replies To: "Remember me" option on account login a security risk?

#2 Blindman67  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 138
  • View blog
  • Posts: 615
  • Joined: 15-March 14

Re: "Remember me" option on account login a security risk?

Posted 20 April 2014 - 08:00 PM

Cookies generally do not hold passwords. That would be very irresponsible on the part of the web site. Password are securely stored by your browser and has nothing to do with cookies.

Cookies are used for a host of different reasons. One is to track you. When you visit a site the web page checks if you have a cookie from them. If you don't then they give you one with a randomly assigned number, or ID.

Next time you visit the site they will see the cookie and thus know that you have returned, they can use that ID to set up your custom preferences.

Cookies can track you across multiple sites and help keep a record of what you like to click and what you don't. They really dont care who you are, just that you are a unique individual.

And there is a lot more that can be done with cookies.
Was This Post Helpful? 1
  • +
  • -

#3 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 4125
  • View blog
  • Posts: 13,016
  • Joined: 08-June 10

Re: "Remember me" option on account login a security risk?

Posted 21 April 2014 - 01:34 AM

remember-me cookies usually hold an identifier and a (so-called) access token (which is refreshed on every "login").
Was This Post Helpful? 1
  • +
  • -

#4 brep  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 23
  • View blog
  • Posts: 175
  • Joined: 26-August 11

Re: "Remember me" option on account login a security risk?

Posted 21 April 2014 - 07:32 AM

Oh ok, so the browser stores them itself... I never knew that. I thought I remembered reading somewhere that the passwords were stored in cookies... oh well. Thanks for the clarification!
Was This Post Helpful? 0
  • +
  • -

#5 ge∅  Icon User is offline

  • D.I.C Lover

Reputation: 175
  • View blog
  • Posts: 1,116
  • Joined: 21-November 13

Re: "Remember me" option on account login a security risk?

Posted 25 April 2014 - 03:08 AM

When you log in to a site, your browser generally asks you "do you want [browser name] to save your login informations for this site ?". If you accept it will pre-fill the form next time you visit the site, whereas the "remember me" option will emulate a persistent session and automatically log you in. So it's not the same feature.

Cookies are not the only way to track you, and I find them generally more friendly than other means : when a trusted domain sets a cookie, you can assume it will only be used to track you while you visit the site (you can't have safe user sessions without cookies anyway, so it's a fair use).

What I dislike is the use of third party widgets and scripts like google+/facebook/twitter/google search API, etc. because you find them in many websites, so when these thirt-party domains set a cookie (or just log your HTTP request when you load them), they store anonymous informations (such as your IP address) and cross them with a qualified database to track you as a person (if you've got a gmail account and visit websites with google+ widgets, google Analytics and the like, Google already knows your email address and your address book, but also the sites you like to visit, and probably your phone number, your phone's MAC address and installed apps if you use and Android phone, etc.).

I find very hypocritical to write in one's terms of use / privacy policy that one doesn't log your personal informations when you use one's widget or service because event though it's not technically the case, one get there eventually.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1