I am Hack Sparrow
Captain of the Internets.

It is Time to Forget the “Remember Me” Checkbox

Why not to use the "Remember Me" feature on websites anymore

The Remember Me checkbox first appeared about 10-12 years ago on websites to ease users' trouble of logging in again and again. The feature uses the idea of persistent login which is implemented using cookies.

Remember Me was a useful feature, but not anymore. I think it is time to ditch the Remember Me feature now (year 2010). I present my arguments below:

  1. Remember Me is Redundant
    All modern browsers have a password remember feature. It is safer to use the browser's remember password feature than the website's remember me feature.
  2. Remember Me Introduces Unwanted Security Issues
    All you need to hack a user account on a website using Remember Me is the user's persistence cookie. The cookie can be accessed physically, via cross-site scripting attacks, and session hijacking, to name a few ways. The security of a website is inversely proportional to the avenues of attacks, by not using Remember Me you reduce the number.
  3. Remember Me Implementation Will Always be Insecure
    There is no standard way of implementing secure session persistence. All proposed techniques are vulnerable to the security issue mentioned above. Also an average user is likely to tick the Rememeber Me checkbox even on a public system, despite being explicitly told not to do so.

Developers are still refering to a 6 year old article on implementing persistent login for their websites. Someone even came up with an improved version of the technique. There is no point in improving something that's past its usefulness. The best way to implement Remember Me is not to implement it all.

What about out-dated browsers that don't support password save feature? Don't use them. They are out-dated for a reason, get with the times.

Notes

  1. Remember Me uses persistent cookies for authentication.
  2. Persistent cookies introduce security issues.
  3. Cookies can be stolen vis XSS attacks and session hijacks.
  4. Remember is an artifact from the spinning logo era, it should be dumped.

References

  1. HTTP cookie
  2. Cross-site scripting
  3. Session hijacking
  4. Google.com UTF-7 XSS Vulnerabilities

One Response to “It is Time to Forget the “Remember Me” Checkbox”

  1. RV says:

    I partially agree, although it is not truly 100% valid and true for all uses…

    Some business/internal applications have no problem with having a remember me, and I for one prefer that to using my browser password manager.

    I also would argue that although it may make a website somewhat more vulnerable it is very difficult to point at Remember Me as the “culprit” to a bad site security architecture… By knowing user IP, validating browser signatures, etc, etc, among other things it is possible to make XSS attacks all but impossible… (nothing is ever impossible in terms of hacking, but it is possible to make it very difficult…)

    I agree with some of what is said in the article, but honestly, I dont think such an approach is the best… In general most extremes, such as “all logins should have remember me” or “all remember me is obsolete”, are flawed. I believe this is one of those cases…

Make a Comment