Is “Remember me” still needed?
This is a question that I am not sure of the answer to but it is something that I’ve thought about before. Saving a cookie to a user’s machine used to be something that concerned new Internet users but I am not so sure that people care too much anymore.
What reminded me of this was that this morning I saw a tweet by Steven Frank, of Panic, which read: “I’m bugged by “Remember me” checkboxes. I’d rather stay cookied and just log out of my desktop OS account. Or use the site logout button.”.
I think this is a relatively minor issue since the person logging in only needs to decide whether to check a single box or not - but it may be something that we could remove from our layouts altogether.
What do you think? Do you feel this ‘feature’ is imperative or, at this point, not as needed?
My personal opinion is that it isn’t needed because more often than not I want the site to set a cookie so that I stay logged in. But I use a laptop and bring it with me nearly everywhere I go. So for me, this is a matter of convenience not of security. Others may bounce from cafe to cafe, college computer lab to computer lab, and will view this much more as a security issue - and probably feel differently than I do.
Thoughts?
Tags: design, development, steven-frank, usability, web
October 25th, 2007 at 10:15 pm
I think it’s needed. Just as you said, it’s not an issue if you’re the only one who uses the computer, or if you never clear your cookies.
But multiple users (even if it’s just a friend checking his email on your system) is a large enough group of people that it’s worth having on.
I think there’s some sort of privacy issue but i can’t come up with anything at the moment.
Also, I often choose not to use the remember me because I use have a set of passwords for each site and typing the username and password each time helps me memorize them. If I’ve only logged in once to a site, I’m pretty much screwed if I have to login a month down the road. I can guess and go through them all, but it’s frustrating to have to send password reminders all the time.
October 27th, 2007 at 9:51 am
I prefer to be remembered from the start and I get frustrated with sites on which I click “remember me” and they just refuse to. I also use my laptop most of the time and stay logged in to just about everything other than secure sites. When someone else uses my laptop, they know they have to log out of my stuff first or use IE (since I use Firefox). If a site doesn’t have a “remember me” I expect that it WILL remember me.
I feel like most people want to be remembered, except on shared computers, of course, and those people know to log out. Even my most computer illiterate of friends understand this. The only people I run in to anymore that worry about cookies are people who are living in 1997 and just don’t get it. I got some funny friends.
But all in all, at least in the various circles I run in, I feel like “remember me” is unnecessary.
November 30th, 2007 at 5:21 pm
While struggling to avoid the reputation that Microsoft gained by allowing their operating system to be very permissive, and effectually insecure, we’re trying to create Habari to be secure by default and demand that you knowingly make it less secure rather than casually providing an option without mentioning the ramifications.
By making staying logged in a default on shared machines, forgetting to log out is a very serious security matter, because you probably won’t realize that it’s happening. If this option is omitted at login, then you must remember to log out. Even when you know you should, you don’t or can’t always do it. This is not a very secure default.
Currently, without any plugin, Habari logins timeout after 20 minutes of non-use. (We are considering extending that to an hour.) Also, if you log out of Habari on one machine, it logs you out of any machine that might be using your login. There are also measures in place that prevent a hacker from re-using the cookie that keeps you logged in. There is no “remember me” option at all.
We’ve been talking this week about how we can make this easier on the user who is used to working with less secure but more convenient systems. I think many developers on the project are of the opinion that “most secure by default” is the way to go. We can’t expect that every user of our software has a degree in computer security, and it’s our responsibility to make some educated decisions for our users. Only if you really understand the ramifications should you install something that makes your site less secure.
With Habari we have some interesting tricks up our sleeves that might allow the software to be more permissive without completely compromising security, but as a rule, I am pretty emphatic about removing that checkbox, but not because it should remember your login by default; rather, because it shouldn’t remember your login at all.