Keep Me Signed In: Account Security Risk?

TL;DR

Ticking “Keep me signed in” makes logging in easier, but it does increase the risk of another user on that computer accessing your accounts. It’s generally safer to avoid this option, especially on shared computers.

Understanding the Risk

When you select “Keep me signed in”, the website stores a cookie (a small file) on your computer. This cookie contains information that allows you to stay logged in without re-entering your username and password each time. The problem is, anyone who can access your browser profile can potentially use this cookie.

Step-by-Step Guide: Assessing & Mitigating the Risk

1. Identify if it’s a Shared Computer: Is this computer used by multiple people? This includes family members, housemates, or anyone with physical access. If yes, proceed to step 2. If no (it’s your personal, secured device), the risk is much lower, but still consider the steps below for added security.
2. Browser Profiles: Most modern browsers allow multiple user profiles. This is the best way to share a computer safely.
   • Chrome: Click your profile icon (top right) > Add. Create separate profiles for each user.
   • Firefox: Type about:profiles in the address bar > Create New Profile.
   • Edge: Click your profile icon (top right) > Add profile.

   Each profile has its own cookies, history, and settings, preventing users from accessing each other’s accounts.

3. Clear Browser Cookies Regularly: If you must use “Keep me signed in” on a shared computer (not recommended), clear your browser cookies frequently.
   • Chrome: Settings > Privacy and security > Clear browsing data. Select ‘Cookies and other site data’ and choose ‘All time’.
   • Firefox: Settings > Privacy & Security > Cookies and Site Data > Clear Data.
   • Edge: Settings > Privacy, search, and services > Clear browsing data. Select ‘Cookies and other site data’ and choose ‘All time’.

   Be aware this will log you out of all websites.

4. Enable Two-Factor Authentication (2FA): This is the most important step! 2FA adds an extra layer of security, even if someone gets your password or cookie.
   • Most major services (Google, Facebook, Microsoft, etc.) offer 2FA.
   • Enable it in your account settings under ‘Security’ or ‘Privacy’.
   • You’ll typically need a smartphone app (like Google Authenticator, Authy) to generate codes.

   Example: When logging in, you enter your password and a code sent to your phone.

5. Check for Suspicious Activity: Regularly review your account activity logs for any logins from unknown locations or devices.
   • Most services have an ‘Activity’ section in their settings.
6. Use a Strong Password Manager: A password manager creates and stores strong, unique passwords for each of your accounts. This reduces the risk if one account is compromised.

   Popular options include LastPass, 1Password, Bitwarden.

Technical Detail (Cookies)

Cookies are text files stored by websites in your browser. They can be accessed by anyone with access to your browser profile. The specific cookie names used for ‘Keep me signed in’ vary depending on the website, but they generally contain a unique identifier linked to your account.

// Example Cookie (This is illustrative - actual cookies are more complex)

Name: session_id Value: abcdef1234567890

cyber security Best Practices

• Keep your operating system and browser up to date.
• Use anti-virus software.
• Be cautious of phishing attempts (emails or websites asking for your password).