Helping people with computers... one answer at a time.
If you check Keep Me Signed In when signing in to an online service, the idea is that you don't have to specify your password again... unless you change your password.
I recently saw that if I checked the Keep Me Signed In box in Hotmail, then did not sign out, I would stay signed in indefinitely, even if I changed my password using another computer. Every time I would sign in using the previous computer it still signed in, as if Hotmail had updated my password automatically on that machine. My question is, did this happen even when Hotmail had two separate options for Remember Me and Remember My Password? Because I checked Remember My Password on a cousin's computer and then changed my password later, because I moved to a different country. Does that mean my cousin and anybody who used his computer had access to my emails?
What you're seeing is not what I expect.
Regardless of whether you're using Hotmail or some other service, I'll describe what I believe should happen that keeps you secure, as well as the difference between those two Remember options on many sign-in screens.
And of course, I wouldn't be doing my job if I also didn't suggest what you should do differently in the future to remain secure.
Many services that require you to sign-in often offer one or two options to help you on your return visit.
Given that most services require two pieces of information (your sign-in ID and a password), the options correspond roughly to those two items.
Remember Me simply remembers your sign-in ID. Even if you sign out, when you return, the sign-in form would have your sign-in ID already filled in for you.
Keep Me Signed In (occasionally labeled some variation of Remember my Password) in a sense remembers your password. I say "in a sense" because your password isn't really remembered – at least not for systems that are even halfway secure. Rather what's remembered is the fact that you're signed in and that the sign-in can persist indefinitely or until you sign out. You might be able to completely reboot your machine and upon returning to the site, find that you're still (or automatically) signed in.
Both of these techniques rely on cookies. A cookie is a small piece of information associated with a particular service that's stored on your computer and sent along each time your browser requests more or new information from that service. One might be a flag that says "SigninID=yourID" – the Remember Me part of all this – and another might be something like "SigninExpires=never" – the Keep Me Signed In part. (The tokens that I use are purely examples and not meant to represent exactly what's stored in the cookies – typically, it's much more obscure.)
The "SigninExpires" example is an interesting one because something like it is necessary to prevent you from needing to sign-in for every single page you view – the site needs to know that you have signed in and don't need to sign in again – thus, a concept of "SigninExpires" allows the system to keep you signed in as you move from page to page. If you leave the site, the sign-in might expire after a few minutes or a few hours; at which point, you'd have to sign in again.
If you specify Keep Me Signed In, then the length might simply be increased to something large – perhaps weeks or months – or set to a value that means forever.
So, you sign-in on machine A and say Keep Me Signed In.
You then move to machine B where you change your account password.
What should happen is that the next attempt to access the site from machine A should prompt for a password.
Simple as that. And it should happen whether or not you said Keep Me Signed In.
If it does not then, in my opinion, the site's security isn't up to par. Their approach is defensible (you did say to stay signed in, after all), but for just the scenario you outline, it's not really secure to do anything less than invalidate that sign in when the password changes.č
It probably goes without saying that you shouldn't use Keep Me Signed In on any computer that isn't yours.
You're simply asking for problems.
If using other people's computers is something that you do often, what you should really do is use two-factor authentication; or as in Hotmail's case, use a "one time code" to sign in.
In both cases, this is something that you need to set up before you need it.
In one case, it simply means that your password is not enough to sign-in – you also need a second form of authentication, such as a code provided by the service via another channel, like your mobile phone. In the other case, you don't use your normal password at all, but rather use a special code or password that works exactly once.
And always sign out when you are done.
Signing in to an account on any computer that isn't yours runs some serious security risks. Between keyloggers (intentional and otherwise), or just snooping around in the browser cache after you sign out, you're really trusting the owner of the computer – and everyone else who uses it after you do – to be honest and upstanding.
Sadly, as we know all too well, that's not always a reasonable assumption, and hence, we need to take steps to protect ourselves.
At a minimum, keep your usage of Keep Me Signed In to a minimum and only on your own computer. Having to sign in every so often is a minor inconvenience compared to having your account hacked, or worse.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.