Has the time come to kill the Remember Me checkbox? (2009) (opens in new tab)

(37signals.com)

29 pointsmovingahead12y ago37 comments

37 comments

No, it's time to kill passwords. If I need to log in, send me two links and/or temporary auth codes: a persistent login clearly labeled, and a transient login for use in public places. If you're a serious site (banks, utilities, etc), use two-factor auth, don't accept anything less and of course, don't persist my login.

Alternatively, I keep hoping to see user-controlled federated ID gaining traction - you know, a personal 'wallet' that I maintain myself and store all of my identity in. And when you want to know who I am, you contact my server and it tells if if I approve it. I'd happily take this extra step every time. However, I've realized that this will never happen - too many people don't care, and no major tech companies are willing to push it for fear for backlash.

While I'm wandering further off-subject (but still reasonably tangential): dear people who make marketing email systems, please stop requiring me to log in when I follow your unsubscribe link. One might begin to expect that you add this extra stumbling block to make it harder for me to do what I want - and that's certainly no way to get my business. Every time I get an email from you, I'm reminded that I don't want to be receiving them.

I suppose it's possible that someone has hijacked my email credentials and that they may be fraudulently unsubscribing me. But that's a risk I'm willing to take. You - you hypothetical marketer you - should be too, unless you're a bank. A pissed off customer is not one who will do business with you no matter how many mailings you send.

edit: typos and correctness

Fishkins12y ago

> dear people who make marketing email systems, please stop requiring me to log in when I follow your unsubscribe link.

Isn't this illegal according to the CAN SPAM act, at least for the types of emails it covers? http://www.business.ftc.gov/documents/bus61-can-spam-act-com...

lutusp12y ago

> Isn't this illegal according to the CAN SPAM act ...

Yes, it is. The Can-Spam Act requires a simple opt-out procedure. Therefore requiring people to sign up in order to opt out is a violation of the law. Also, if you sign up, you become a customer, and as a customer, the company acquires the right to spam you till the sun goes down (the Can-Spam Act doesn't apply to customers).

GrinningFool12y ago

I'm not sure - in the cases I'm considering, I did initiate a relationship with them however long ago when I registered [for whatever reason], and they are giving me the option to opt out. It's a safe bet that buried somewhere in the ToS I've given them the right to contact me for marketing by registering.

But a year later when they suddenly decide to actually do that marketing, it's annoying because I no longer even know what that account is for - never mind how to log in.

Many places are making it truly one-click, but there are a fair number that still require you to authenticate before you can change 'account settings' like notification preferences.

Erm... TL;DR: Because of the existing relationship, I"m not sure that CAN SPAM applies.

1 more reply

arjie12y ago

Mozilla's Persona seems like an option. You can self-host and it seems to do what you want.

GrinningFool12y ago

Thanks, I hadn't heard about that - it's very close to what I'm looking for. I'll be taking a closer look - though without uptake across major service providers, it'll likely remain niche.

(I say this after having only skimmed it - could be wrong.)

jpswade12y ago

>No, it's time to kill passwords. >don't persist my login

You say no, but it reads yes.

GrinningFool12y ago

I can see that - though my answer was more of a sidestepping of the question, by prefixing it with "no" it certainly doesn't seem that way.

Q: "Have you stopped beating your wife?" A: "No. It's time to discuss the appropriateness of wife beating."

Hmm...

_bfhp12y ago

Being that you support wild-abandon ubiquitous centralized digital identity, I'm guessing you use Gmail, in which case you can easily make a filter for the spam rather than going through the trouble of unsubscribing.

GrinningFool12y ago

That's not quite what I support - I support identity that I control. Centralized with me (for every 'me' who participates). Not with any third party.

Filtering this stuff as spam is a workaround, though, not a solution.

basicallydan12y ago

I don't think so. Not in every case, anyway. The number of times I've been in an Internet cafe or hotel using a shared PC, in a rush because my taxi is waiting outside and I need to book a hotel in the next city...

It's one less thing to worry about. Sure, they could have a keylogger, or a dodgy version of their web browser - but it's one less thing to worry about when you're already in a rush.

jonny_eh12y ago

For the super rare exception, why not just explicitly log out?

_bfhp12y ago

Are people really unable to imagine alternatives to a "yes/no" debate? Certain websites should never have Remember Me checkboxes and should log you out when you close the tab, like banking websites (mine does have a Remember Me checkbox, for shame). There should be a convenience cost for security, or else you're probably not doing security right. Unless it's Reddit or something, there should be no Remember Me and the cookie should expire shortly or on closing the page.

inthewind12y ago

Good point. Remember the old browser modal dialogues about sites using cookies? I bet you could ask 10 people and perhaps 1 of those might actually be able to describe what a cookie is. This is a failure from on-line educators and browser manufacturers.

If you could easily identify that a site you were on had cookies stored, and that one was about you being logged in, and it was plain simple to wipe that cookie then I'm sure you'd be happier about that situation. Couple that with a default to have them disabled - until you explicitly lend your browser a little more trust - to prevent ticking those boxes in a public place. And we might all feel a little better about them.

I guess cookies though are a solution to the leave me logged in checkbox. Another technology could be used. I personally hate them as they currently are.

Even key chain programs are difficult to understand. Safari uses user key-chain, Firefox uses it's own profile to store passwords. No consistency and headaches for users.

jarek12y ago

In my experience, "remember me" on banking sites usually saves only your username/login name. Useful on your personal computers when your bank uses your 16 digit card number for login name.

_bfhp12y ago

I agree with the above, except I'd replace "Useful" with "Horrifying"

1 more reply

falkflyer12y ago

The biggest argument people seem to have is that "users who are not tech savvy won't remember to log out". Quick wake up call: users who aren't tech savvy don't know what "remember me" really does, and chances are they see it as a "don't make me log in again" option which they will always prefer, even if it's not as secure.

Typical users don't have a concept of security, they only want convenience.

coin12y ago

I've always found the browser's password remembering feature annoying. I disable it immediately after installing it.

mathrawka12y ago

I never trust a Remember Me checkbox.

If I want to make sure I am not logged in anymore, I log out.

ollysb12y ago

It seems like it should be a setting on the browser i.e. if it's your own personal laptop then you probably want to always be remembered and if it's an internet cafe then the browser should never remember your password. Maybe the browser could send a header indicating the preference(it could always be ignored - for bank websites etc).

movingaheadOP12y ago

This is one of the more ideal scenarios. Aren't browsers doing something similar when they send a "Do not Track header"? I can think of other instances where this kind of browser configuration can be very useful.

isleyaardvark12y ago

I don't see how that helps things. Instead of "remember to log out after using a public computer", then you would have to "remember how to find the settings for every browser to check if the internet cafe set the right 'remembered' setting or just still remember to always log out at public computers".

kleiba12y ago

I've got nothing against 'Remember Me' checkboxes, if they were always unchecked by default.

movingaheadOP12y ago

The only major site where I see it checked by default is GMail. Any others?

Casseres12y ago

SigFig - a website to monitor (but not change) your financials.

I e-mailed them asking them to make the default unchecked, but I just got a canned response:

"Thank you for the suggestion. We currently do not offer that feature, but we are always open to new feedback. We have added this to our list of feature requests and ideas."

dlwiest12y ago

No, because some users share computers, or use school, library, store, etc. computers. Just check it by default. Problem solved.

dougaitken12y ago

but isn't what's being asked? If the box is checked by default, then public computers will have a whole list of email address and logins to steal

donniezazen12y ago

The problem is if "Remember Me" button is checked in then once you sign-in your information is already saved and you have to go through settings to remove it.

I don't even "Remember Me" on my own system. LastPass takes care of it. First thing I do after installing a browser is to uncheck remember password.

It is an atrocious setting from nineties.

user212y ago

+1 for killing "remember me" checkbox

rokusho12y ago

Public computers? Libraries?

LoganCale12y ago

They should configure their browsers to forget cookies within 30 minutes of non-use. Chrome can do this with the Vanilla browser extension, and I use it myself, with whitelisting for a few sites, to ensure most unwanted, long-living cookies get wiped clean regularly.

nucleardog12y ago

Logout button?

ori_b12y ago

I'm forgetful.

If I forget to log out, my account is open to everyone. If I forget to click "remember me", I have to sign in twice. Making systems that fail safely in case of human error is a good thing.

Although one of my favorite ideas was a system I saw at a hardware store. You could use their terminals to look up products. The terminals had a pressure pad in front of them, and as soon as you stepped off the pad, it ended the session, cleared the cookies, and logged you out.

1 more reply

j / k navigate · click thread line to collapse

37 comments

GrinningFool12y ago

edit: typos and correctness

Fishkins12y ago

> dear people who make marketing email systems, please stop requiring me to log in when I follow your unsubscribe link.

Isn't this illegal according to the CAN SPAM act, at least for the types of emails it covers? http://www.business.ftc.gov/documents/bus61-can-spam-act-com...

lutusp12y ago

> Isn't this illegal according to the CAN SPAM act ...

GrinningFool12y ago

But a year later when they suddenly decide to actually do that marketing, it's annoying because I no longer even know what that account is for - never mind how to log in.

Many places are making it truly one-click, but there are a fair number that still require you to authenticate before you can change 'account settings' like notification preferences.

Erm... TL;DR: Because of the existing relationship, I"m not sure that CAN SPAM applies.

1 more reply

arjie12y ago

Mozilla's Persona seems like an option. You can self-host and it seems to do what you want.

GrinningFool12y ago

Thanks, I hadn't heard about that - it's very close to what I'm looking for. I'll be taking a closer look - though without uptake across major service providers, it'll likely remain niche.

(I say this after having only skimmed it - could be wrong.)

jpswade12y ago

>No, it's time to kill passwords. >don't persist my login

You say no, but it reads yes.

GrinningFool12y ago

I can see that - though my answer was more of a sidestepping of the question, by prefixing it with "no" it certainly doesn't seem that way.

Q: "Have you stopped beating your wife?" A: "No. It's time to discuss the appropriateness of wife beating."

Hmm...

_bfhp12y ago

GrinningFool12y ago

That's not quite what I support - I support identity that I control. Centralized with me (for every 'me' who participates). Not with any third party.

Filtering this stuff as spam is a workaround, though, not a solution.

basicallydan12y ago

It's one less thing to worry about. Sure, they could have a keylogger, or a dodgy version of their web browser - but it's one less thing to worry about when you're already in a rush.

jonny_eh12y ago

For the super rare exception, why not just explicitly log out?

_bfhp12y ago

inthewind12y ago

I guess cookies though are a solution to the leave me logged in checkbox. Another technology could be used. I personally hate them as they currently are.

Even key chain programs are difficult to understand. Safari uses user key-chain, Firefox uses it's own profile to store passwords. No consistency and headaches for users.

jarek12y ago

In my experience, "remember me" on banking sites usually saves only your username/login name. Useful on your personal computers when your bank uses your 16 digit card number for login name.

_bfhp12y ago

I agree with the above, except I'd replace "Useful" with "Horrifying"

1 more reply

falkflyer12y ago

Typical users don't have a concept of security, they only want convenience.

coin12y ago

I've always found the browser's password remembering feature annoying. I disable it immediately after installing it.

mathrawka12y ago

I never trust a Remember Me checkbox.

If I want to make sure I am not logged in anymore, I log out.

ollysb12y ago

movingaheadOP12y ago

isleyaardvark12y ago

kleiba12y ago

I've got nothing against 'Remember Me' checkboxes, if they were always unchecked by default.

movingaheadOP12y ago

The only major site where I see it checked by default is GMail. Any others?

Casseres12y ago

SigFig - a website to monitor (but not change) your financials.

I e-mailed them asking them to make the default unchecked, but I just got a canned response:

"Thank you for the suggestion. We currently do not offer that feature, but we are always open to new feedback. We have added this to our list of feature requests and ideas."

dlwiest12y ago

No, because some users share computers, or use school, library, store, etc. computers. Just check it by default. Problem solved.

dougaitken12y ago

but isn't what's being asked? If the box is checked by default, then public computers will have a whole list of email address and logins to steal

donniezazen12y ago

The problem is if "Remember Me" button is checked in then once you sign-in your information is already saved and you have to go through settings to remove it.

I don't even "Remember Me" on my own system. LastPass takes care of it. First thing I do after installing a browser is to uncheck remember password.

It is an atrocious setting from nineties.

user212y ago

+1 for killing "remember me" checkbox

rokusho12y ago

Public computers? Libraries?

LoganCale12y ago

nucleardog12y ago

Logout button?

ori_b12y ago

I'm forgetful.

If I forget to log out, my account is open to everyone. If I forget to click "remember me", I have to sign in twice. Making systems that fail safely in case of human error is a good thing.

1 more reply

j / k navigate · click thread line to collapse