Helping people with computers... one answer at a time.

Once you've logged into a site cookies are often used to keep you logged in for some period of time. There are risks associated with that, and more.

Do IE browser cookies store my password? For example, if someone once logged into my webmail account and saved the cookie on his computer. Will he still be able to access the account using the old cookie if I later changed my password?

It's time again for one of my most common answers: it depends.

It depends, mostly, on what webmail service you're using.

Regardless, you may very well be at risk - not only for web mail, but any account that requires you to login.

First let's be clear about something - it's the web site you're visiting that determines what is and is not saved in cookies. IE actually has nothing to do with the decision, other than providing the mechanisms to store and retrieve cookies.

Since it's the websites decision, the answer of exactly what gets stored in a cookie will vary dramatically from site to site. Each will probably save something very different than all the others.

"... it's the web site you're visiting that determines what is and is not saved in cookies."

In general, the strictest answer to your question is no, websites do not actually store your password in the cookies that they place on your machine. That would be fairly poor security, as then anyone with access to your machine could examine the contents of the cookies and retrieve your password. I'm sure it's been done, but most of the commercial services have hopefully moved to more secure approaches.

At a minimum, the password is hashed or encrypted, meaning that the cookie makes sense only to the service in question, and can't be deciphered. Better yet, the cookies might contain some other kind of data not related to your password at all, but related to information contained on the service's computer. For example, the cookie might contain the number 12, and then the service can look up in its table of currently logged in users entry number 12 and determine if you're logged in, how long you've been active, and whatever else they need to know to provide their functionality.

But you may still be at risk.

The information that's kept in cookies or wherever is used to keep you logged in - so that you don't have to login to see every page, every message, every click in your webmail program. Even if you browse to a different site when you return it'll probably remember that you're logged in for a while.

And there's the problem. How long's "a while"?

You can guess the answer: it depends.

Some services (banks in particular) keep this period rather short. Others seem to keep it fairly long, presumably for your convenience. That means, however, that once you've viewed email on someone else's computer they may be able to return to your email after you leave.

Unless, that is, you do one thing when you're done:

Sign out of your email.

Signing out removes the cookies or otherwise invalidates the information that says you were logged in. If you visit that site again, you'll have to login again.

Technically you could also clear cookies, but that shouldn't be necessary.

However, there's still one other area that catches people by surprise: remembered passwords.

If the browser is configured to remember passwords, and you accidentally allow it to remember your password when you login to your email, then that password can be trivially recovered by anyone who has access to that computer.

No matter what you do, or how you do it, logging in to your accounts on someone else's computer always calls for extra caution. In fact, it's something that I simply avoid if at all possible.

There are just too many things that can go wrong.

Article C3832 - August 8, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.