
Has the time come to kill the Remember Me checkbox? (2009) - movingahead
http://37signals.com/svn/posts/1920-has-the-time-come-to-kill-the-remember#all_comments
======
GrinningFool
No, it's time to kill passwords. If I need to log in, send me two links and/or
temporary auth codes: a persistent login clearly labeled, and a transient
login for use in public places. If you're a serious site (banks, utilities,
etc), use two-factor auth, don't accept anything less and of course, don't
persist my login.

Alternatively, I keep hoping to see user-controlled federated ID gaining
traction - you know, a personal 'wallet' that I maintain myself and store all
of my identity in. And when you want to know who I am, you contact my server
and it tells if if I approve it. I'd happily take this extra step every time.
However, I've realized that this will never happen - too many people don't
care, and no major tech companies are willing to push it for fear for
backlash.

While I'm wandering further off-subject (but still reasonably tangential):
dear people who make marketing email systems, please stop requiring me to log
in when I follow your unsubscribe link. One might begin to expect that you add
this extra stumbling block to make it harder for me to do what I want - and
that's certainly no way to get my business. Every time I get an email from
you, I'm reminded that I don't want to be receiving them.

I suppose it's possible that someone has hijacked my email credentials and
that they may be fraudulently unsubscribing me. But that's a risk I'm willing
to take. You - you hypothetical marketer you - should be too, unless you're a
bank. A pissed off customer is not one who will do business with you no matter
how many mailings you send.

edit: typos and correctness

~~~
Fishkins
> dear people who make marketing email systems, please stop requiring me to
> log in when I follow your unsubscribe link.

Isn't this illegal according to the CAN SPAM act, at least for the types of
emails it covers? [http://www.business.ftc.gov/documents/bus61-can-spam-act-
com...](http://www.business.ftc.gov/documents/bus61-can-spam-act-compliance-
guide-business)

~~~
GrinningFool
I'm not sure - in the cases I'm considering, I did initiate a relationship
with them however long ago when I registered [for whatever reason], and they
are giving me the option to opt out. It's a safe bet that buried somewhere in
the ToS I've given them the right to contact me for marketing by registering.

But a year later when they suddenly decide to actually do that marketing, it's
annoying because I no longer even know what that account is for - never mind
how to log in.

Many places are making it truly one-click, but there are a fair number that
still require you to authenticate before you can change 'account settings'
like notification preferences.

Erm... TL;DR: Because of the existing relationship, I"m not sure that CAN SPAM
applies.

~~~
Fishkins
That makes sense. I wasn't thinking about that distinction. It's certainly a
terrible practice, regardless.

------
basicallydan
I don't think so. Not in every case, anyway. The number of times I've been in
an Internet cafe or hotel using a shared PC, in a rush because my taxi is
waiting outside and I need to book a hotel in the next city...

It's one less thing to worry about. Sure, they could have a keylogger, or a
dodgy version of their web browser - but it's one less thing to worry about
when you're already in a rush.

~~~
jonny_eh
For the super rare exception, why not just explicitly log out?

------
detcader
Are people really unable to imagine alternatives to a "yes/no" debate? Certain
websites should never have Remember Me checkboxes and should log you out when
you close the tab, like banking websites (mine does have a Remember Me
checkbox, for shame). There should be a convenience cost for security, or else
you're probably not doing security right. Unless it's Reddit or something,
there should be no Remember Me and the cookie should expire shortly or on
closing the page.

~~~
jarek
In my experience, "remember me" on banking sites usually saves only your
username/login name. Useful on your personal computers when your bank uses
your 16 digit card number for login name.

~~~
detcader
I agree with the above, except I'd replace "Useful" with "Horrifying"

~~~
jarek
IMVHO, if someone has access to your cookies, you are likely dealing with
problems bigger than protecting your bank card number. That implies having
access to your files, physical access to the machine, or MITMing the
connection to your bank. I can think of worse things that can be done with
that level of access.

Maybe I'm missing something.

------
falkflyer
The biggest argument people seem to have is that "users who are not tech savvy
won't remember to log out". Quick wake up call: users who aren't tech savvy
don't know what "remember me" really does, and chances are they see it as a
"don't make me log in again" option which they will _always_ prefer, even if
it's not as secure.

Typical users don't have a concept of security, they only want convenience.

------
coin
I've always found the browser's password remembering feature annoying. I
disable it immediately after installing it.

------
mathrawka
I never trust a Remember Me checkbox.

If I want to make sure I am not logged in anymore, I log out.

------
ollysb
It seems like it should be a setting on the browser i.e. if it's your own
personal laptop then you probably want to always be remembered and if it's an
internet cafe then the browser should never remember your password. Maybe the
browser could send a header indicating the preference(it could always be
ignored - for bank websites etc).

~~~
movingahead
This is one of the more ideal scenarios. Aren't browsers doing something
similar when they send a "Do not Track header"? I can think of other instances
where this kind of browser configuration can be very useful.

------
kleiba
I've got nothing against 'Remember Me' checkboxes, if they were always
_unchecked_ by default.

~~~
movingahead
The only major site where I see it checked by default is GMail. Any others?

~~~
Casseres
SigFig - a website to monitor (but not change) your financials.

I e-mailed them asking them to make the default unchecked, but I just got a
canned response:

"Thank you for the suggestion. We currently do not offer that feature, but we
are always open to new feedback. We have added this to our list of feature
requests and ideas."

------
dlwiest
No, because some users share computers, or use school, library, store, etc.
computers. Just check it by default. Problem solved.

~~~
dougaitken
but isn't what's being asked? If the box is checked by default, then public
computers will have a whole list of email address and logins to steal

------
donniezazen
The problem is if "Remember Me" button is checked in then once you sign-in
your information is already saved and you have to go through settings to
remove it.

I don't even "Remember Me" on my own system. LastPass takes care of it. First
thing I do after installing a browser is to uncheck remember password.

It is an atrocious setting from nineties.

------
user2
+1 for killing "remember me" checkbox

------
rokusho
Public computers? Libraries?

~~~
nucleardog
Logout button?

~~~
ori_b
I'm forgetful.

If I forget to log out, my account is open to everyone. If I forget to click
"remember me", I have to sign in twice. Making systems that fail safely in
case of human error is a good thing.

Although one of my favorite ideas was a system I saw at a hardware store. You
could use their terminals to look up products. The terminals had a pressure
pad in front of them, and as soon as you stepped off the pad, it ended the
session, cleared the cookies, and logged you out.

~~~
antsar
Out of curiosity, what store (assuming its a chain, or large enough to be
known outside local circles)? That's pretty nifty.

~~~
ori_b
Lee Valley. They're a Canadian chain that mostly sell high quality hand tools,
cabinet hardware, and gardening equipment, and apparently they're pretty
popular for woodworkers in the USA as well.

I miss living within driving distance of one :/

