It seems like every time I log into a site that requires a password the option is presented to have the site remember the password so that it doesn’t ever need to be typed in again. (Whew! I’d hate to have to diagram that sentence!)
Anyway, is there any downside to letting the site remember it? Is the security OK, or does it vary by site? If a hacker gets in there are you toast?
I tend to use fairly long passwords so using this option would save quite a bit of typing, but I’m a little nervous about it.
I think that the password is on a cookie stored on your computer. I wipe all mine periodically and then I have to key user name and password into sites like FB and SD.
Important ones like bank and CC issuers, I do not allow any ‘save’ option and key it in every time.
If I understand correctly (and I don’t guarantee that I do), it’s not that the password is stored on the site or on the cookie: it’s that the cookie enables the site to recognize you, letting you be logged in without having to retype your password.
Separately from this, your browser may be capable of remembering your password for the sites you visit. This is what’s happening if you get to the screen or dialogue box where you have to enter your password, but it’s already filled in.
The security on this option is mostly on your end. If other people can use your computer or read the data on it (be that physical access, remote access, malware, etc), then that may provide them with the ability to get into that web site.
If it’s properly done, the cookie is a GUID which does not contain the encrypted password, but I know that there are sites which simply place the encrypted password into the cookie. It appears that vbulletin does this, actually (it sets a cookie called “bbpassword” containing a long hex string, which takes on the same value when you login again or in seperate browsers). One reason for not doing that is so that if the user explicitly logs out, you may remove the cookie value from your server, and make it invalid, forcing explicit logins again even if the cookie value has been retained in a client.
First, make sure you understand the difference between a website itself remembering your password vs your browser remembering it for you. The browser option stores it locally on your hard drive and is completely under your control to turn on or off, but it won’t work for certain websites that don’t allow it. And if your hard drive crashes or your OS gets corrupted your password will be lost.
I wouldn’t be too afraid of ‘hackers’ getting your password if you let the website store it, as the OS will store it in encrypted form even at the lowest level. I used to work in an IT data center and the network admins used to always say that they had absolutely no way of retrieving an actual stored password even if they had to. But, not all data centers are created equal…
Which brings me to what I feel is the biggest danger in having the website save it. Namely I see time & time again that people who automatically store them and don’t ever enter their passwords will not be able to remember it when the (inevitable) time comes that they need to enter it again. It’s not the end of the world, but your only recourse then is to call customer service and wait on hold for an hour and have them reset it.
Regarding the lost password procedure, all (or at least, most) of the sites I visit have the option of checking a “lost your password” box if you can’t remember it. If this box is then checked, they will direct you to a site where you can enter a new password and have it immediately supersede the forgotten one. Not nearly the hassle it used to be.
Regarding the lost password procedure, all (or at least, most) of the sites I visit have the option of checking a “lost your password” box if you can’t remember it. If this box is then checked, they will direct you to a site where you can enter a new password and have it immediately supersede the forgotten one. Not nearly the hassle it used to be.
I don’t understand what people are talking about “having the website store it.” The website has to store your password, otherwise you couldn’t use your password to log in to the website.
There are different schemes by which a Website will store your password, but it is always stored there. Whether or not it is in plain text or highly encrypted is a function of how the site was programmed.
Remembering a password to pre-fill a login form is a function of your browser. Remembering a login state is a group effort between your browser’s cookies (provided by the Website) and the Website’s interpretation of said cookies.
A website should never store your password. They should store a hashed version of your password. When you type in your password the website should preform the hash operation on it and compare that hash to what is stored.
If anybody but me knows my password, then it isn’t my password. It’s a password I share with somebody or something else. If the website or application is, effectively, letting me stay logged in forever, then that’s no password at all.