Storing Passwords in Cookies

[scanman20]

Obviously you should never store passwords in cookies in clear text in order to remember users so that they can automatically login to a site. However, even if you encrypt a user's password, or use some random token, couldn't someone with access to a machine copy and use that cookie on another machine to login as that user? Pardon my ignorance if I'm missing something obvious, but isn't this a distinct possibility? Is that why financial institutions and other sites that deal with money don't allow you to store your password?

[ScallioXTX]

You're completely right.

Whatever people say, never store a password, or the hash of a password, or whatever in a cookie.

See Session hijacking

And yes, I would suppose that is why banks etc don't let you store your password. Suppose it would store my password, and someone logs in to my banking account on my computer (or steals my computer and then logs in) and transfers all my money to himself ...
Just makes it too easy for people who are up to no good

[scanman20]

I thought so, thanks for the confirmation. I searched around and found a great article at http://jaspan.com/improved_persisten..._best_practice which discusses this very issue. The author seems to have a solid solution although I haven't yet read through all of the comments to see if anyone managed to shoot holes in his plan. Thanks.

[felgall]

And yes, I would suppose that is why banks etc don't let you store your password.

The banks can't stop you storing your password - most browsers these days have a save password option built right into the browser that doesn't rely on cookies to save the passwords. The browsers usually also offer a master password setup where the stored passwords can only be used if you enter the master password before using the first one - that prevents someone else using the passwords since they don't know the master password.

Since all decent browsers offer to save passwords for you with appropriate security within the browser there is no point in setting up a less secure option of your own using cookies.

[ScallioXTX]

The banks can't stop you storing your password - most browsers these days have a save password option built right into the browser that doesn't rely on cookies to save the passwords. The browsers usually also offer a master password setup where the stored passwords can only be used if you enter the master password before using the first one - that prevents someone else using the passwords since they don't know the master password.

Since all decent browsers offer to save passwords for you with appropriate security within the browser there is no point in setting up a less secure option of your own using cookies.

Doesn't autocomplete="false" on username/password fields tell the browser not to store the username password?
If so, I think banks should use this.

PS. My bank doesn't use a password, but a device that generates tokens, so I don't really know how websites of banks that use passwords work. Although I my opinion they should do all they can to prevent the browser from storing passwords!

[scanman20]

Right, the save password browser option is very different and I don't want to get off topic but thanks for your insight. I just wanted to confirm that even if an encrypted password, or some random token is stored with a username in a cookie, that it would be possible to intercept, or if someone had access to the computer, copy the cookie, and use it on another machine to gain access to an account. Apparently, this is very possible.

[sk89q]

Since all decent browsers offer to save passwords for you with appropriate security within the browser there is no point in setting up a less secure option of your own using cookies.

I disagree with this. Given all the sites I visit with logins, having to login to each one every time I start up my browser would be quite painful. On some sites, I have more than one login, and having to switch between logins in Firefox and Chrome is even more painful.

[logic_earth]

Using a simple random token that periodically changes either after a set time, user action, or both. When it comes to viewing sensitive data or altering settings like email ask for credentials as well as update the token.

Well that is what I would have done.