Redditors ask, Cybernews answers: this is why you should never let browsers remember your password
With multiple passwords and constant anxiety of logging in, is letting your browser remember your password worth the risk? Every week, our team selects one pressing and common reader issue and deconstructs it to help you stay safe online.
Account fatigue is a real thing. With numerous accounts that users need to juggle daily, the option of being “remembered” and kept logged in sounds like a salvation from unnecessary anxiety.
However, those more fluent in cybersecurity know that persistent login tokens, which allow you to seamlessly log in from the same device, are not the best choice from a security perspective.
While balancing between convenience and security, how bad is it really? In a recent Reddit thread, users wanted to know the answer.
Welcome to another week of Redditors ask, Cybernews answers, where we will deconstruct how “Remember me on this device” works and provide insights on whether it is worth the risk.
How do browsers keep you logged in?
When you log in with your username and password, and you’ve ticked “Remember me,” a persistent login token is created.
This token is a unique, cryptographically generated value that is stored in the user’s browser as a cookie. It does not contain the user’s password. Instead, it serves as proof that the user has already authenticated.
Normal login sessions expire quickly. For example, when you close the browser or wait a few hours, your login session is gone. Persistent login tokens are different.
They’re designed to last for long periods, from days to months. That’s why you can reopen your laptop after a weekend and still find yourself logged in.
Convenience or safety?
This persistence provides convenience, but it also increases risk. The Cybernews research team advises being very cautious with this feature.
“Especially on devices you don't own, you should avoid pressing the 'Remember me on this device,’ as it may compromise your accounts when someone else may be using that device,” our team explained.
On private devices, using this feature is a balance between convenience and security. Logging in every time can take longer and be less convenient.
“On the other hand, enabling such options would allow malicious actors to bypass security measures like MFA if they compromised your device.”
The team adds that using this feature often means sharing extra details about your device with the service you’re logging into. It’s usually invisible, but it adds to the pile of technical data that could spill out if that company ever gets breached.
Browser cookies have become the main target
Cybernews researchers point out that in some cases, users are not opting into persistent authentication.
Several major platforms automatically remember devices to streamline future logins, but offer no clear way to disable this behavior. Google services, including Gmail and YouTube, are among the most prominent examples.
“The Google case is significant as, in large part, it encouraged the shift in the mindset of malicious actors. They previously mostly tried stealing passwords – nowadays it's much more lucrative to steal browser cookies,” our researchers continued.
Enabling the "remember me" option on most webpages that give this choice creates long-lasting authentication cookies that are valuable to attackers as they take a long time to expire.
Even more worrying is that stolen browser cookies can be used to bypass multi-factor authentication, as they sometimes continue to work even after users change their passwords.
Redditors do not trust the feature
The Reddit thread quickly made one thing clear – there is no single answer. Users repeatedly stressed that whether “Remember me” is acceptable depends entirely on where and how it is used, not on the feature itself.
According to commentators, different apps, websites, browsers, or devices have different levels of access.
Have thoughts about this topic? Others do, too. Join them in the discussion.
“I would personally not use tokens like that because you don't always know if your device gets compromised. Say you're logged in to a website that remembers you, and all your card details and other sensitive information are stored there,” explained one Redditor.
Another Redditor argued that the real question is not whether the feature is safe, but what your threat model looks like.
“I don’t have a padlock on my fridge. Because the convenience of not having to lock and unlock my refrigerator when I want a drink is of more value to me than the safety risk that someone might break into my house and poison my food.”
The commentators also weighed the likelihood of a device being stolen, the pain of password recovery, and the damage that could be done if someone gained unrestricted access.
Some Redditors’ verdict was a strict no.
“Never remember or store passwords and logins. The only exception I can think of would be if you need it for accessibility. For example, a very elderly person who lives alone, he's bad with technology, and also has memory problems,” said one.
Final verdict?
The answer, whether to use it or not, depends on the situation. The “Remember me on this device” feature is not inherently unsafe, but it might be risky.
The safest approach is selective use. The convenience tradeoff may be acceptable on well-secured personal devices or for accounts that pose low risk.
For sensitive services such as email, financial platforms, cloud storage, or work accounts, persistent login tokens significantly increase the risks. In the event of malware, phishing, or physical device theft, saved logins may cause substantial damage.
It is also important to avoid persistent logins on shared devices.
Unlock exclusive Cybernews content on YouTube.
