We’ll be honest.
Today’s Advent tip is a harder sell than most of the others we’ve done so far.
We’re suggesting that you don’t stay logged in to your favourite online services all the time.
We know how convenient it is to login to Facebook in the morning, or at the beginning of the week, and to tick the “Keep me logged in” box.
Other sites use other words, such as “Remember me,” but the idea is the same: you login once and then you don’t have to keep logging back in all the time.
It’s even more convenient to stay logged in via mobile apps, because typing a suitably long and secure password is harder and more error prone on a phone than it is on a regular keyboard.
Indeed, many mobile apps quietly and automatically remember your password even between reboots so the app can log you back in automatically every time you restart it.
The thing is, all this logged-in-forever convenience comes at the cost of reduced security.
Social media sites love what they call frictionlessness, which is a fancy way of saying, “We want your clicks to count, every time you click, with no need for a second thought, and with no pesky pop-up login window.”
But sometimes – quite frequently, to be honest – a second thought is exactly what you want.
Images of Christmas tree and Advent calendar courtesy of Shutterstock.
ttracetalk
I can imagine a number of reasons why staying logged in could jeopardize your security, but the article doesn’t elaborate on what they actually are. Of course one obvious one is if someone else has access to your computer or unlocked phone and can impersonate you, but my phone auto locks after a few seconds idle and no-one else has access to my laptop, which is also secured with a strong password whenever I close the lid, so I’d like to know what other security risks there are apart from that obvious one.
Paul Ducklin
We’re trying to keep these tips short, 200-250 words. I figured the general reason was clear enough from the article: it’s so that the “frictionless” buttons, widgets, Likes, +1s and whatnots associated with your various online services aren’t always and inevitably frictionless, and thus aren’t always and inevitably active whether you wanted that or not.
Unless you are actively using Facebook, do you really want every Like button on every web page (or every Like button sneakily jury-rigged in every malicious web page) to be instantly activated if you happen to click it? Or do you think it might be wise, when you are attending to matters other than your FB account, if accidentally clicking a Like button came up with a “you need to login first” window? (That’s what I meant by getting a chance to have a second thought.)
A good malware-related example is the trick known as clickjacking, where a crook hides an active Like button behind other web content, such as an image, so that clicking in the image actually triggers a Like, rather than visiting the page you thought the image linked to. If you routinely log out of Facebook, you greatly reduce the period during which this trick works – if you get clickjacked while you’re logged off, the clickjack (or any similar misdirection-of-your-click trick) is instantly obvious because you see a login window instead!
Think of it like the office safe. It’s tempting to open it when you arrive in the morning, and lock it when you leave, so it’s open and easy to access during the working day in case you need it. This *may* be what you want, at least if you are present and actively using that safe all day long. But if you are routinely popping off to do other things, or if you end up not using it at all some days. or if you go and sit in the canteen at lunchtime, during which time the safe really doesn’t need to be open, it’s better to lock it and re-open it on demand, even if it’s a bit more hassle.
Bryan
well said, thanks Duck
Mark Stockley
One of the most important reasons to log out is that it shuts off an entire category of attack known as Cross-Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
If I can get you to visit a website I control or open an email I’ve sent you then I can make your browser send requests to other websites such as Facebook, or your bank, as you.
Imagine that I’ve figured out the appropriate HTTP request a customer at your bank needs to make in order to conduct a bank transfer. If your browser is still logged in to your bank when you arrive at my site then I can run my attack because it’s *your browser* that’s doing the transfer. But your browser can’t make transfers if it’s logged out, so if it’s logged out of your bank when you arrive at my site then my CSRF attack will fail.
MJ Barbosa
Now if Google would let us log out of our gmail acct. on our Android devices. If you can log off Google/Gmail on your computer it should sync to your Android device too.
OneOfcountlessVictimsOfTheseOverreachingNamePolicies
Sadly, you chose not to elaborate on reasons why. They would have been the meat of the article. I can only speculate you worry about stolen mobiles; but facts from actual security breaches would be better than having readers speculate.
Paul Ducklin
See above.
Sometime, frictionlessness online makes things work “just too easily”. When you know aren’t actually using Twitter, why stay logged in? Logging out means there’s one less thing to go wrong.
no-comply
You utterly fail to explain *why* failing to heed your advice is risky.
Paul Ducklin
*Utterly* :-) Bit harsh, isn’t it? What about the last two paragraphs? Logging out is a bit like locking your car doors while you’re driving along. In some countries, it’s advisable. In others, it doesn’t matter that much…but if you can do it, why wouldn’t you? It stops random people from yanking the passenger side door open and making trouble while you’re concentrating on something else, gives you one less thing to worry about.
Would you stay logged into your internet banking site for ever, just in case you (or some malware) wanted to click some buttons? Probably not, and it’s obvious why not. Well, the same argument applies, though perhaps without quite the same urgency and importance, for *any* website that you’re not actively using right now. Think of it as protecting you from yourself.
Steve
Well thanks for the tip Paul, as many people don’t even consider the “logout” button; as if they thought everything can stay on forever (surely they switch off their units sometimes, no ?) I do logout everytime I leave a service, it’s part of my routine, maybe because i’m a webdev ?
Tick
My “Keep me logged in” box is always ticked and I don’t want that. How can I remove it permanently? Because it’s always back after I’ve removed it. Thanks!
Paul Ducklin
Annoyingly, if you are security conscious and remove web cookies when you exit your browser, you lose the security settings that change the website’s defaults. Many sites like to make “keep me logged in” the default (most people see to like it), so unless you let the website set a cookie to say, “don’t use the default,” the tick box will keep coming back…
Paul Ducklin
…replying to self… Of course, if you clear cookies when exiting the browser, you (usually) clear the cookies that keep you logged in, too :-)
Geraldine Comiskey
Use a dongle on a laptop to do Internet banking. And get good cyber security.