On Thu, Nov 1, 2018 at 06:15 PM, Jim Higgins wrote:
That's a seriously insecure way of managing passwords UNLESS you have good physical security for your computer plus require a password to logon to that computer. Otherwise anyone who sits in front of your computer can log into your Gio account.
The underlining is mine.
What you say is entirely true, but not really all that relevant. A computer (of any description) that is used for accessing Groups.io is no less vulnerable just because it has no password stored by the browser. Anyone obtaining access to that computer (including by theft or theft by finding) can simply find Groups.io (there is almost bound to be a shortcut sitting there!) and request a log - in link to be sent to the legitimate user's email account.
Now if the computer in question (which might include an easily portable device) has an "active" cookie set the person who now has the device can access Groups.io without even having to request a log - in link to be sent.
Even 30 day expiring cookies are no more secure against the misuse of a computer than having log - in details stored by a browser. If the computer is in the wrong hands then those wrong hands have access to Groups.io, courtesy of the 30 cookie.
Any argument against a password being stored by a browser also applies to the use of log - in cookies, be they 30 day or "non - expiring". The insecurity exists in both cases to almost the same extent.
Chris
