Do You Want to Save Your Password for This Website?

The early web pages were pretty ‘dumb’ in their functionality – presented more like a book and a simple way to display information.  These days websites are much more sophisticated in their functions and their interaction with the user.  Many of them require authentication, for example shopping sites such as Amazon require you to sign in to purchase, or some Microsoft sites such as MSDN which require a login to proceed.  In the majority of cases when entering credentials you will be prompted to save your password.  

These prompts are generated in 2 ways;

• The browser has a credential store and captures usernames and passwords which are then used to populate fields on the webpage.
• The website prompts you and then places an authentication cookie on your machine.

This second option is interesting.  Cookies are small text files placed on your machine by the website.  They can be used to store data but they are of limited size and so only limited data can be stored.  Newer cookies simply store a unique ID that is then used to recognise the user between sessions.   On the next visit to the website it detects the cookie on your machine and matches it to a user and logs you in.

But today internet security is one of the major concerns for people – authentication is being tightened with two or three factor authentication being the norm.  This is a step in the other direction – now the only thing I need to log into a site as you is either your cookie or potentially only the ID, at least before I needed both username and password.  
Yahoo is able to testify how problematic this can be.  In 2016 they revealed that they had experienced a security breach in 2013 losing the personal details of 1 billion people, and possibly all 3 billion of its users.  They state the hacking method used to be “cookie forgery”.  By mimicking a users cookie I have complete access to the users account without ever having to know any other credentials.

From a business point of view this must make you think about the systems you use.  Many rely on cloud services such as Salesforce or Xero for company accounts.  Do you really want this level of security in place?  Most would answer no yet their systems allow it.

This is only one of the many reasons why you need to get more of a grip of your web data.  This has long gone unchallenged and unmanaged and with a single website visit delivering over 100 cookies, the majority of them for tracking user behaviour, the problem is probably bigger than you ever thought.