Has the time come to kill the Remember Me checkbox? (2009)
37signals.comNo, it's time to kill passwords. If I need to log in, send me two links and/or temporary auth codes: a persistent login clearly labeled, and a transient login for use in public places. If you're a serious site (banks, utilities, etc), use two-factor auth, don't accept anything less and of course, don't persist my login.
Alternatively, I keep hoping to see user-controlled federated ID gaining traction - you know, a personal 'wallet' that I maintain myself and store all of my identity in. And when you want to know who I am, you contact my server and it tells if if I approve it. I'd happily take this extra step every time. However, I've realized that this will never happen - too many people don't care, and no major tech companies are willing to push it for fear for backlash.
While I'm wandering further off-subject (but still reasonably tangential): dear people who make marketing email systems, please stop requiring me to log in when I follow your unsubscribe link. One might begin to expect that you add this extra stumbling block to make it harder for me to do what I want - and that's certainly no way to get my business. Every time I get an email from you, I'm reminded that I don't want to be receiving them.
I suppose it's possible that someone has hijacked my email credentials and that they may be fraudulently unsubscribing me. But that's a risk I'm willing to take. You - you hypothetical marketer you - should be too, unless you're a bank. A pissed off customer is not one who will do business with you no matter how many mailings you send.
edit: typos and correctness
> dear people who make marketing email systems, please stop requiring me to log in when I follow your unsubscribe link.
Isn't this illegal according to the CAN SPAM act, at least for the types of emails it covers? http://www.business.ftc.gov/documents/bus61-can-spam-act-com...
> Isn't this illegal according to the CAN SPAM act ...
Yes, it is. The Can-Spam Act requires a simple opt-out procedure. Therefore requiring people to sign up in order to opt out is a violation of the law. Also, if you sign up, you become a customer, and as a customer, the company acquires the right to spam you till the sun goes down (the Can-Spam Act doesn't apply to customers).
I'm not sure - in the cases I'm considering, I did initiate a relationship with them however long ago when I registered [for whatever reason], and they are giving me the option to opt out. It's a safe bet that buried somewhere in the ToS I've given them the right to contact me for marketing by registering.
But a year later when they suddenly decide to actually do that marketing, it's annoying because I no longer even know what that account is for - never mind how to log in.
Many places are making it truly one-click, but there are a fair number that still require you to authenticate before you can change 'account settings' like notification preferences.
Erm... TL;DR: Because of the existing relationship, I"m not sure that CAN SPAM applies.
That makes sense. I wasn't thinking about that distinction. It's certainly a terrible practice, regardless.
Mozilla's Persona seems like an option. You can self-host and it seems to do what you want.
Thanks, I hadn't heard about that - it's very close to what I'm looking for. I'll be taking a closer look - though without uptake across major service providers, it'll likely remain niche.
(I say this after having only skimmed it - could be wrong.)
>No, it's time to kill passwords. >don't persist my login
You say no, but it reads yes.
I can see that - though my answer was more of a sidestepping of the question, by prefixing it with "no" it certainly doesn't seem that way.
Q: "Have you stopped beating your wife?" A: "No. It's time to discuss the appropriateness of wife beating."
Hmm...
Being that you support wild-abandon ubiquitous centralized digital identity, I'm guessing you use Gmail, in which case you can easily make a filter for the spam rather than going through the trouble of unsubscribing.
That's not quite what I support - I support identity that I control. Centralized with me (for every 'me' who participates). Not with any third party.
Filtering this stuff as spam is a workaround, though, not a solution.
I don't think so. Not in every case, anyway. The number of times I've been in an Internet cafe or hotel using a shared PC, in a rush because my taxi is waiting outside and I need to book a hotel in the next city...
It's one less thing to worry about. Sure, they could have a keylogger, or a dodgy version of their web browser - but it's one less thing to worry about when you're already in a rush.
For the super rare exception, why not just explicitly log out?
Are people really unable to imagine alternatives to a "yes/no" debate? Certain websites should never have Remember Me checkboxes and should log you out when you close the tab, like banking websites (mine does have a Remember Me checkbox, for shame). There should be a convenience cost for security, or else you're probably not doing security right. Unless it's Reddit or something, there should be no Remember Me and the cookie should expire shortly or on closing the page.
Good point. Remember the old browser modal dialogues about sites using cookies? I bet you could ask 10 people and perhaps 1 of those might actually be able to describe what a cookie is. This is a failure from on-line educators and browser manufacturers.
If you could easily identify that a site you were on had cookies stored, and that one was about you being logged in, and it was plain simple to wipe that cookie then I'm sure you'd be happier about that situation. Couple that with a default to have them disabled - until you explicitly lend your browser a little more trust - to prevent ticking those boxes in a public place. And we might all feel a little better about them.
I guess cookies though are a solution to the leave me logged in checkbox. Another technology could be used. I personally hate them as they currently are.
Even key chain programs are difficult to understand. Safari uses user key-chain, Firefox uses it's own profile to store passwords. No consistency and headaches for users.
In my experience, "remember me" on banking sites usually saves only your username/login name. Useful on your personal computers when your bank uses your 16 digit card number for login name.
I agree with the above, except I'd replace "Useful" with "Horrifying"
IMVHO, if someone has access to your cookies, you are likely dealing with problems bigger than protecting your bank card number. That implies having access to your files, physical access to the machine, or MITMing the connection to your bank. I can think of worse things that can be done with that level of access.
Maybe I'm missing something.
The biggest argument people seem to have is that "users who are not tech savvy won't remember to log out". Quick wake up call: users who aren't tech savvy don't know what "remember me" really does, and chances are they see it as a "don't make me log in again" option which they will always prefer, even if it's not as secure.
Typical users don't have a concept of security, they only want convenience.
I've always found the browser's password remembering feature annoying. I disable it immediately after installing it.
I never trust a Remember Me checkbox.
If I want to make sure I am not logged in anymore, I log out.
It seems like it should be a setting on the browser i.e. if it's your own personal laptop then you probably want to always be remembered and if it's an internet cafe then the browser should never remember your password. Maybe the browser could send a header indicating the preference(it could always be ignored - for bank websites etc).
This is one of the more ideal scenarios. Aren't browsers doing something similar when they send a "Do not Track header"? I can think of other instances where this kind of browser configuration can be very useful.
I don't see how that helps things. Instead of "remember to log out after using a public computer", then you would have to "remember how to find the settings for every browser to check if the internet cafe set the right 'remembered' setting or just still remember to always log out at public computers".
I've got nothing against 'Remember Me' checkboxes, if they were always unchecked by default.
The only major site where I see it checked by default is GMail. Any others?
SigFig - a website to monitor (but not change) your financials.
I e-mailed them asking them to make the default unchecked, but I just got a canned response:
"Thank you for the suggestion. We currently do not offer that feature, but we are always open to new feedback. We have added this to our list of feature requests and ideas."
No, because some users share computers, or use school, library, store, etc. computers. Just check it by default. Problem solved.
but isn't what's being asked? If the box is checked by default, then public computers will have a whole list of email address and logins to steal
The problem is if "Remember Me" button is checked in then once you sign-in your information is already saved and you have to go through settings to remove it.
I don't even "Remember Me" on my own system. LastPass takes care of it. First thing I do after installing a browser is to uncheck remember password.
It is an atrocious setting from nineties.
+1 for killing "remember me" checkbox
Public computers? Libraries?
They should configure their browsers to forget cookies within 30 minutes of non-use. Chrome can do this with the Vanilla browser extension, and I use it myself, with whitelisting for a few sites, to ensure most unwanted, long-living cookies get wiped clean regularly.
Logout button?
I'm forgetful.
If I forget to log out, my account is open to everyone. If I forget to click "remember me", I have to sign in twice. Making systems that fail safely in case of human error is a good thing.
Although one of my favorite ideas was a system I saw at a hardware store. You could use their terminals to look up products. The terminals had a pressure pad in front of them, and as soon as you stepped off the pad, it ended the session, cleared the cookies, and logged you out.
Out of curiosity, what store (assuming its a chain, or large enough to be known outside local circles)? That's pretty nifty.
Lee Valley. They're a Canadian chain that mostly sell high quality hand tools, cabinet hardware, and gardening equipment, and apparently they're pretty popular for woodworkers in the USA as well.
I miss living within driving distance of one :/