Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Relog or remember?


  • Please log in to reply
12 replies to this topic

#1 Lishy

Lishy

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 07 December 2012 - 03:24 AM

Hi. For protecting my email and password, is it better to log out and retype my password each time I log in? Or to "remember" my login status? The latter definitely seems more convenient, but is it more secure? Even if it uses HTTPS encryption? What about SSL?

It seems like the latter protects me from keyloggers whereas the latter puts also puts me at risk of cookie-theft. But from a simple cookie-theft, they can't get your password, can they? And if you have ANY malware, can't they steal your cookies either way? So is it better to log out every time?

Anyways, I'm very intrigued by the threat of cookie-theft after learning more about it. I do not go on suspicious websites nor' do use NoScript, but the concept of a websie I go to someday being hacked does indeed concern me, and I would like to take measures just incase of the future possibility.

So which is the better method for protecting myself? Staying logged in, or logging out?

BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 07 December 2012 - 04:44 AM

Hi. For protecting my email and password, is it better to log out and retype my password each time I log in?

So you are talking about webmail? What do you use?

But from a simple cookie-theft, they can't get your password, can they?

That depends on the technical design of the website. Some are badly designed: the cookie contains your password (or a simple hash/encoding of it).

I do not go on suspicious websites nor' do use NoScript, but the concept of a websie I go to someday being hacked does indeed concern me

If a website you use gets hacked, they will try to steal the credentials of all users. So in this case, it doesn't matter if you "remember" or not.
To limit the damage, you should use a different password for every (important) site you use.

So which is the better method for protecting myself? Staying logged in, or logging out?

There no answer to such a generic question. It depends on the design of the website.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Lishy

Lishy
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 07 December 2012 - 04:54 AM

My friend uses hotmail. Let's use that as an example. Is it considered risky for him to stay logged in constantly rather than re-logging in each session? Or are the cookies for that email service much more encrypted?

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 07 December 2012 - 07:30 AM

For Hotmail it makes no difference.

But you should never use such a feature on public computers or computers you share with people you don't want to access your e-mail.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Lishy

Lishy
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 07 December 2012 - 03:47 PM

For Hotmail it makes no difference.

Explain. Is this a good thing or bad thing? Isn't staying logged in making a person susceptible to cookie theft? Isn't my friend at risk?

Edited by Lishy, 07 December 2012 - 03:54 PM.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 07 December 2012 - 06:25 PM

Like I said, it depends on the design of the site. Hotmail also set cookies if you don't use the remember option. Just look at your cookie folder, you'll see.
You do know that there are many types of cookies? Not all are used for authentication.

Why do you worry about cookie theft? Did you just read about it, or are you in a situation were you are vulnerable?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Lishy

Lishy
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 07 December 2012 - 06:46 PM

Why do you worry about cookie theft? Did you just read about it, or are you in a situation were you are vulnerable?

I had just read about it, is the situation.

All I want to know is what behavior is more secure. Having hotmail "remember" your login, or manually re-logging in?

Edited by Lishy, 07 December 2012 - 07:32 PM.


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 08 December 2012 - 04:49 AM

I worked with the assumption that you use the Internet like most users: you have a tabbed browser like IE and you have Hotmail open in one tab and you are using the other tabs for surfing.

Like I said, if that is the case, it doesn't mather if you use "remember" or not. Because Hotmail is open and you have cookies for Hotmail, regardless of the "remember" setting.

Edited by Didier Stevens, 08 December 2012 - 05:07 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Lishy

Lishy
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 08 December 2012 - 06:47 AM

I worked with the assumption that you use the Internet like most users: you have a tabbed browser like IE and you have Hotmail open in one tab and you are using the other tabs for surfing.

Like I said, if that is the case, it doesn't mather if you use "remember" or not. Because Hotmail is open and you have cookies for Hotmail, regardless of the "remember" setting.

I'm sorry but this didn't really answer my question..

Is it better to constantly sign out of hotmail as soon as I am done using it? Does it put me at any particular cookie-theft risk if I stay logged into hotmail?

If hotmail is closed and I am signed out, then I do not have to worry about a cookie-stealing script? But are there any other defenses against a cookie stealing script besides NoScript and logging out?

Edited by Lishy, 08 December 2012 - 06:48 AM.


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 08 December 2012 - 11:13 AM

Is it better to constantly sign out of hotmail as soon as I am done using it?


That is a different question. Signing out is not the same as using the "remember" option. You can sign out regardless of using the "remember" option or not.

If you use the same browser for Hotmail and general surfing, then it is better to sign out.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Lishy

Lishy
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 08 December 2012 - 12:36 PM

If you use the same browser for Hotmail and general surfing, then it is better to sign out.

Alright thank you.

And is there anything else I could do to protect myself against cookie theft of hotmail too?

Edited by Lishy, 08 December 2012 - 12:37 PM.


#12 Sightless

Sightless

  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Up in the Clouds
  • Local time:02:28 PM

Posted 09 December 2012 - 08:43 PM


If you use the same browser for Hotmail and general surfing, then it is better to sign out.

Alright thank you.

And is there anything else I could do to protect myself against cookie theft of hotmail too?


Hi, from what I gathered from Didier Stevens' responses, cookie theft should not be a problem for major websites such as Hotmail, Gmail, etc. because of the encryption techniques they use to store your passwords.

#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 13 December 2012 - 05:22 AM

Cookie theft is just a small aspect of security issues categorized more broadly as Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF).
I will not go into more detail in XSS and CSRF.

But there is a way to protect yourself: use different browsers instances for casual browsing and more sensitive sites.

For example, I've a Firefox instance that I only use for webmail, and another one for sites were I login like BC.
And then I use Chrome for casual browsing.

Edited by Didier Stevens, 13 December 2012 - 05:23 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users