Is it unsafe to use the "keep me logged in" feature on websites?

If this is not unsafe, then doesn't it defeat the purpose of password managers? If I stay logged in, I will never have to remember my password, right?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • You will need the password if you manually log out (perhaps by accident), if you change your computer, if you use another browser, if you ever need to change your password, and lots of other situations. So it would be unwise to forget your password for a site.

  • brentybrenty

    Team Member
    edited December 2016

    @connorc0405: It really, really depends on the site, for a few reasons:

    1. Some websites use this "keep me logged in" option to quite literally keep you completely logged in seemingly indefinitely; if someone uses their computer, they can pretty much do anything with these types of sites.
    2. Others are keep you logged in for a certain number of days, and then require you to login again.
    3. Other sites use this mainly for ease of use, so you can browse in the context of your account, but pretty much anything serious you do (account change, purchase, etc.) requires authentication.
    4. Still others use a combination these, for example keeping you logged in for 30 days but requiring you to authenticate again to make changes to the account or access sensitive information.

    Obviously this is kind of general and there's going to be some variation, but I ordered them from least to most secure, in ascending order.

    Certainly for #1 you usually don't need a password manager because you're just logged in all the time. But it would still be useful so that you can at least use a long, strong, unique password without having to remember and type it, and to access it on new devices where you're not already logged in. And certainly there are plenty of sites like this that I use, and I simply don't use this option. If their security is this lax (a cookie is not secure and can be hijacked — see Yahoo), I really don't want to take any chances and find out what other corners they've cut...so I use 1Password. :sunglasses:

This discussion has been closed.