No, it's time to kill passwords. If I need to log in, send me two links and/or temporary auth codes: a persistent login clearly labeled, and a transient login for use in public places. If you're a serious site (banks, utilities, etc), use two-factor auth, don't accept anything less and of course, don't persist my login.<p>Alternatively, I keep hoping to see user-controlled federated ID gaining traction - you know, a personal 'wallet' that I maintain myself and store all of my identity in. And when you want to know who I am, you contact my server and it tells if if I approve it. I'd happily take this extra step every time. However, I've realized that this will never happen - too many people don't care, and no major tech companies are willing to push it for fear for backlash.<p>While I'm wandering further off-subject (but still reasonably tangential): dear people who make marketing email systems, please stop requiring me to log in when I follow your unsubscribe link. One might begin to expect that you add this extra stumbling block to make it harder for me to do what I want - and that's certainly no way to get my business. Every time I get an email from you, I'm reminded that I don't want to be receiving them.<p>I suppose it's possible that someone has hijacked my email credentials and that they may be fraudulently unsubscribing me. But that's a risk I'm willing to take. You - you hypothetical marketer you - should be too, unless you're a bank. A pissed off customer is not one who will do business with you no matter how many mailings you send.<p>edit: typos and correctness
I don't think so. Not in every case, anyway. The number of times I've been in an Internet cafe or hotel using a shared PC, in a rush because my taxi is waiting outside and I need to book a hotel in the next city...<p>It's one less thing to worry about. Sure, they could have a keylogger, or a dodgy version of their web browser - but it's one less thing to worry about when you're already in a rush.
Are people really unable to imagine alternatives to a "yes/no" debate? Certain websites should never have Remember Me checkboxes and should log you out when you close the tab, like banking websites (mine does have a Remember Me checkbox, for shame). There should be a convenience cost for security, or else you're probably not doing security right. Unless it's Reddit or something, there should be no Remember Me and the cookie should expire shortly or on closing the page.
The biggest argument people seem to have is that "users who are not tech savvy won't remember to log out". Quick wake up call: users who aren't tech savvy don't know what "remember me" really does, and chances are they see it as a "don't make me log in again" option which they will <i>always</i> prefer, even if it's not as secure.<p>Typical users don't have a concept of security, they only want convenience.
It seems like it should be a setting on the browser i.e. if it's your own personal laptop then you probably want to always be remembered and if it's an internet cafe then the browser should never remember your password. Maybe the browser could send a header indicating the preference(it could always be ignored - for bank websites etc).
The problem is if "Remember Me" button is checked in then once you sign-in your information is already saved and you have to go through settings to remove it.<p>I don't even "Remember Me" on my own system. LastPass takes care of it. First thing I do after installing a browser is to uncheck remember password.<p>It is an atrocious setting from nineties.