Helping people with computers... one answer at a time.

If you check Keep Me Signed In when signing in to an online service, the idea is that you don't have to specify your password again... unless you change your password.

I recently saw that if I checked the Keep Me Signed In box in Hotmail, then did not sign out, I would stay signed in indefinitely, even if I changed my password using another computer. Every time I would sign in using the previous computer it still signed in, as if Hotmail had updated my password automatically on that machine. My question is, did this happen even when Hotmail had two separate options for Remember Me and Remember My Password? Because I checked Remember My Password on a cousin's computer and then changed my password later, because I moved to a different country. Does that mean my cousin and anybody who used his computer had access to my emails?

What you're seeing is not what I expect.

Regardless of whether you're using Hotmail or some other service, I'll describe what I believe should happen that keeps you secure, as well as the difference between those two Remember options on many sign-in screens.

And of course, I wouldn't be doing my job if I also didn't suggest what you should do differently in the future to remain secure.

Remember Me versus Keep Me Signed In

Many services that require you to sign-in often offer one or two options to help you on your return visit.

Given that most services require two pieces of information (your sign-in ID and a password), the options correspond roughly to those two items.

Remember Me simply remembers your sign-in ID. Even if you sign out, when you return, the sign-in form would have your sign-in ID already filled in for you.

"Signing in to an account on any computer that isn't yours runs some serious security risks."

Keep Me Signed In (occasionally labeled some variation of Remember my Password) in a sense remembers your password. I say "in a sense" because your password isn't really remembered – at least not for systems that are even halfway secure. Rather what's remembered is the fact that you're signed in and that the sign-in can persist indefinitely or until you sign out. You might be able to completely reboot your machine and upon returning to the site, find that you're still (or automatically) signed in.

Both of these techniques rely on cookies. A cookie is a small piece of information associated with a particular service that's stored on your computer and sent along each time your browser requests more or new information from that service. One might be a flag that says "SigninID=yourID" – the Remember Me part of all this – and another might be something like "SigninExpires=never" – the Keep Me Signed In part. (The tokens that I use are purely examples and not meant to represent exactly what's stored in the cookies – typically, it's much more obscure.)

The "SigninExpires" example is an interesting one because something like it is necessary to prevent you from needing to sign-in for every single page you view – the site needs to know that you have signed in and don't need to sign in again – thus, a concept of "SigninExpires" allows the system to keep you signed in as you move from page to page. If you leave the site, the sign-in might expire after a few minutes or a few hours; at which point, you'd have to sign in again.

If you specify Keep Me Signed In, then the length might simply be increased to something large – perhaps weeks or months – or set to a value that means forever.

Password changes on one machine while signed in on another

So, you sign-in on machine A and say Keep Me Signed In.

You then move to machine B where you change your account password.

What should happen is that the next attempt to access the site from machine A should prompt for a password.

Simple as that. And it should happen whether or not you said Keep Me Signed In.

If it does not then, in my opinion, the site's security isn't up to par. Their approach is defensible (you did say to stay signed in, after all), but for just the scenario you outline, it's not really secure to do anything less than invalidate that sign in when the password changes.

What you should have done

It probably goes without saying that you shouldn't use Keep Me Signed In on any computer that isn't yours.

Ever.

You're simply asking for problems.

If using other people's computers is something that you do often, what you should really do is use two-factor authentication; or as in Hotmail's case, use a "one time code" to sign in.

In both cases, this is something that you need to set up before you need it.

In one case, it simply means that your password is not enough to sign-in – you also need a second form of authentication, such as a code provided by the service via another channel, like your mobile phone. In the other case, you don't use your normal password at all, but rather use a special code or password that works exactly once.

And always sign out when you are done.

Always.

Signing in to an account on any computer that isn't yours runs some serious security risks. Between keyloggers (intentional and otherwise), or just snooping around in the browser cache after you sign out, you're really trusting the owner of the computer – and everyone else who uses it after you do – to be honest and upstanding.

Sadly, as we know all too well, that's not always a reasonable assumption, and hence, we need to take steps to protect ourselves.

At a minimum, keep your usage of Keep Me Signed In to a minimum and only on your own computer. Having to sign in every so often is a minor inconvenience compared to having your account hacked, or worse.

Article C5390 - May 26, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

6 Comments
jean skinner
May 29, 2012 5:51 PM

How do I enable cookies so I can use the "keep me signed in option?"

It depends on what browser you use, but it's generally enabled by default.
Leo
29-May-2012
Engineer10388
May 29, 2012 8:04 PM

I don't understand how hackers can try gazillions of possible passwords until they break into your account. Don't web sites lock you out from any additional log-in attempts...at least for a while... after you've made several unsucessful tries? If not, why don't they?

Doug Witmer
May 29, 2012 9:37 PM

Leo,

I enjoyed your article about "Keep Me Signed In". It reminded me of something that goes on in the credit card industry.

Let's say you buy a trial subscription to something with the option of subscribing indefinitely. An unscrupulous vendor will submit your credit card info with the "Recurring Charge" option selected. If you later decide to change your card number to avoid future charges from the unscrupulous vendor, your credit card provider will, as a convenience to you, provide the vendor with the new card information!

Using a "Secure Online Credit Card Number" (a number assigned to a single vendor) prevents this, but some vendors (such as Paypal) won't accept the secure numbers.

Jagadish
May 30, 2012 1:42 AM

If you request your browser, say, chrome, to remember user name and password the same can be reversed (In Chrome, Click spanner--> settings--> advanced settings-->passwords and forms-->manage passwords).

Thom
May 30, 2012 10:33 AM

I tell my customers an easy to crack password is like locking your screen door when going on vacation, without locking up the wood and steel doors in the house.

GREG JACKSON
May 30, 2012 3:44 PM

Did someone mention "easy to crack password"?
How would a novice or any other person for that matter know what a good password is?
Gee, that's easy. Go to:

https://www.grc.com/passwords.htm
GRC provides a great password generator.

On the same page look at the upper page to find
“Password Haystacks” [IN BOLD RED]
https://www.grc.com/haystack.htm

Here, GRC features a new approach to generating super-secure passwords and a brute force password search calculator! Try your existing password here.

I have a desktop link to the password generator for quick use. I'll copy/paste this to a separate page so I don't forget it, and that page is encrypted [truecrypt].

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.