It is Time to Forget the “Remember Me” Checkbox
Why not to use the “Remember Me” feature on websites anymore
The Remember Me checkbox first appeared about 10-12 years ago on websites to ease users’ trouble of logging in again and again. The feature uses the idea of persistent login which is implemented using cookies.
Remember Me was a useful feature, but not anymore. I think it is time to ditch the Remember Me feature now (year 2010). I present my arguments below:
Remember Me is Redundant
All modern browsers have a password remember feature. It is safer to use the browser’s remember password feature than the website’s remember me feature.
Remember Me Introduces Unwanted Security Issues
All you need to hack a user account on a website using Remember Me is the user’s persistence cookie. The cookie can be accessed physically, via cross-site scripting attacks, and session hijacking, to name a few ways. The security of a website is inversely proportional to the avenues of attacks, by not using Remember Me you reduce the number.
Remember Me Implementation Will Always be Insecure
There is no standard way of implementing secure session persistence. All proposed techniques are vulnerable to the security issue mentioned above. Also an average user is likely to tick the Rememeber Me checkbox even on a public system, despite being explicitly told not to do so.
Developers are still refering to a 6 year old article on implementing persistent login for their websites. Someone even came up with an improved version of the technique. There is no point in improving something that’s past its usefulness. The best way to implement Remember Me is not to implement it all.
What about out-dated browsers that don’t support password save feature? Don’t use them. They are out-dated for a reason, get with the times.
Notes
1. Remember Me uses persistent cookies for authentication.
2. Persistent cookies introduce security issues.
3. Cookies can be stolen vis XSS attacks and session hijacks.
4. Remember is an artifact from the spinning logo era, it should be dumped.
References
* HTTP cookie
* Cross-site scripting
* Session hijacking
* Google.com UTF-7 XSS Vulnerabilities
