Colin Devroe: Is “Remember me” still needed?
Daniel Nicolas
· 2 years ago
I think it's needed. Just as you said, it's not an issue if you're the only one who uses the computer, or if you never clear your cookies.
But multiple users (even if it's just a friend checking his email on your system) is a large enough group of people that it's worth having on.
I think there's some sort of privacy issue but i can't come up with anything at the moment.
Also, I often choose not to use the remember me because I use have a set of passwords for each site and typing the username and password each time helps me memorize them. If I've only logged in once to a site, I'm pretty much screwed if I have to login a month down the road. I can guess and go through them all, but it's frustrating to have to send password reminders all the time.
valerie
· 2 years ago
I prefer to be remembered from the start and I get frustrated with sites on which I click "remember me" and they just refuse to. I also use my laptop most of the time and stay logged in to just about everything other than secure sites. When someone else uses my laptop, they know they have to log out of my stuff first or use IE (since I use Firefox). If a site doesn't have a "remember me" I expect that it WILL remember me.
I feel like most people want to be remembered, except on shared computers, of course, and those people know to log out. Even my most computer illiterate of friends understand this. The only people I run in to anymore that worry about cookies are people who are living in 1997 and just don't get it. I got some funny friends. :)
But all in all, at least in the various circles I run in, I feel like "remember me" is unnecessary.
Owen
· 2 years ago
While struggling to avoid the reputation that Microsoft gained by allowing their operating system to be very permissive, and effectually insecure, we're trying to create Habari to be secure by default and demand that you knowingly make it less secure rather than casually providing an option without mentioning the ramifications.
By making staying logged in a default on shared machines, forgetting to log out is a very serious security matter, because you probably won't realize that it's happening. If this option is omitted at login, then you must remember to log out. Even when you know you should, you don't or can't always do it. This is not a very secure default.
Currently, without any plugin, Habari logins timeout after 20 minutes of non-use. (We are considering extending that to an hour.) Also, if you log out of Habari on one machine, it logs you out of any machine that might be using your login. There are also measures in place that prevent a hacker from re-using the cookie that keeps you logged in. There is no "remember me" option at all.
We've been talking this week about how we can make this easier on the user who is used to working with less secure but more convenient systems. I think many developers on the project are of the opinion that "most secure by default" is the way to go. We can't expect that every user of our software has a degree in computer security, and it's our responsibility to make some educated decisions for our users. Only if you really understand the ramifications should you install something that makes your site less secure.
With Habari we have some interesting tricks up our sleeves that might allow the software to be more permissive without completely compromising security, but as a rule, I am pretty emphatic about removing that checkbox, but not because it should remember your login by default; rather, because it shouldn't remember your login at all.
All Comments
But multiple users (even if it's just a friend checking his email on your system) is a large enough group of people that it's worth having on.
I think there's some sort of privacy issue but i can't come up with anything at the moment.
Also, I often choose not to use the remember me because I use have a set of passwords for each site and typing the username and password each time helps me memorize them. If I've only logged in once to a site, I'm pretty much screwed if I have to login a month down the road. I can guess and go through them all, but it's frustrating to have to send password reminders all the time.
I feel like most people want to be remembered, except on shared computers, of course, and those people know to log out. Even my most computer illiterate of friends understand this. The only people I run in to anymore that worry about cookies are people who are living in 1997 and just don't get it. I got some funny friends. :)
But all in all, at least in the various circles I run in, I feel like "remember me" is unnecessary.
By making staying logged in a default on shared machines, forgetting to log out is a very serious security matter, because you probably won't realize that it's happening. If this option is omitted at login, then you must remember to log out. Even when you know you should, you don't or can't always do it. This is not a very secure default.
Currently, without any plugin, Habari logins timeout after 20 minutes of non-use. (We are considering extending that to an hour.) Also, if you log out of Habari on one machine, it logs you out of any machine that might be using your login. There are also measures in place that prevent a hacker from re-using the cookie that keeps you logged in. There is no "remember me" option at all.
We've been talking this week about how we can make this easier on the user who is used to working with less secure but more convenient systems. I think many developers on the project are of the opinion that "most secure by default" is the way to go. We can't expect that every user of our software has a degree in computer security, and it's our responsibility to make some educated decisions for our users. Only if you really understand the ramifications should you install something that makes your site less secure.
With Habari we have some interesting tricks up our sleeves that might allow the software to be more permissive without completely compromising security, but as a rule, I am pretty emphatic about removing that checkbox, but not because it should remember your login by default; rather, because it shouldn't remember your login at all.