What Are Web Cookies and How Are They Connected to Your Passwords

Cookies and Passwords

Most of you have probably conceded by now that staying anonymous on the internet is all but impossible for the regular user. Using a tiny file known as a cookie, online service providers can learn quite a lot about you in an extremely short period of time. But is this such a bad thing?

Cookies: the good and the evil

Consider the following example: you need a new laptop, and you spend some time on Amazon looking at what it has to offer. Sadly, the machines you're interested in are out of your budget, and you decide that the purchase will need to wait. A couple of days later, however, Amazon organizes a massive sale, and you learn about it from an ad on a completely different website. Thanks to a small cookie, the ad agency sees what you're interested in, and it gives you the chance to land a massive bargain.

As you can see, although they've developed a bit of a bad reputation over the last few years, cookies aren't always evil. That said, all this tracking can become a bit creepy sometimes.

Many different factors contribute to how aggressive the targeted advertising is, including but not limited to your browsing habits. If it starts to feel like an invasion of privacy, you might want to consider using your browser's private browsing mode and anti-tracking features, especially on websites that you're not sure about.

If you opt to disable cookies completely, Amazon, Facebook, and the rest of the Silicon Valley behemoths will have an even harder time keeping track of your movements. There will be side effects, though.

Cookies and your online accounts

Most modern websites don't actually work if cookies are disabled, and those that do will give you a completely different experience. By default, when you log in to an online account, a website sends a cookie which is saved on your hard drive. The next time you go to the same website, the web application checks for the existence of the said cookie, reads its content, and if everything's fine, it lets you use your account without asking you to enter your password again. In other words, cookies save us the trouble of having to type in our login credentials all the time.

Does that mean that our usernames and passwords are stored in them?

You can make the system work by writing the user's credentials in the cookie and saving it on their device. That way, when they get back, the cookie will be returned, the login credentials will be validated, and the web application will let them into their accounts.

There are more than a few problems with this. First of all, if the system is to work, you'll need to store people's passwords either in plain text or in a recoverable format. This, as we have mentioned numerous times on these pages, is a very bad idea.

The second problem comes from the fact that throwing sensitive information in a cookie is not advisable. Cookies are not difficult to intercept mid-flight, and scraping them from a hard drive is trivial. That's why, security experts say that even in an encrypted format, passwords should never be placed in a cookie.

The right way to keep users logged in

The third and final case against saving passwords in cookies is the strongest – there is a better way of keeping people logged in. It's been around for years, and thankfully, it's now used by most websites and service providers.

After users enter their username and password on a new device, the website's backend validates the login credentials and generates a special token, which is usually a string of several dozen letters and numbers. The token might be given an expiration date, and it could also be associated with the user's IP address.

It is then written both in a backend database and in a cookie that is saved on the user's device. Upon the next visit, the web application opens the cookie, reads the token, and compares it to the value in the database. If there's a match, the user is logged in. In addition to keeping users' passwords out of the hackers' hands, the use of tokens also provides other mechanisms that make account hijacking that much harder. It can't guarantee that the crooks will stay out, but it's by far a better idea than putting passwords in cookies, and website administrators have no excuse for using older, less safe methods.

In recent years, we've seen plenty of privacy concerns surrounding cookies. Some of the paranoia is justified, and some of it isn't. The truth is, however, modern internet surfing wouldn't be possible without cookies. What's more, in a correctly built system, the humble cookie can actually help protect the user.

January 29, 2019

Leave a Reply