By Leo Notenboom
Do IE browser cookies store my password? For example, if someone once logged into my webmail account and saved the cookie on his computer. Will he still be able to access the account using the old cookie if I later changed my password?
It’s time again for one of my most common answers: it depends.
It depends, mostly, on what webmail service you’re using.
Regardless, you may very well be at risk – not only for web mail, but any account that requires you to login.
First let’s be clear about something – it’s the web site you’re visiting that determines what is and is not saved in cookies. IE
actually has nothing to do with the decision, other than providing the mechanisms to store and retrieve cookies.
Since it’s the websites decision, the answer of exactly what gets stored in a cookie will vary dramatically from site to site.
Each will probably save something very different than all the others.
In general, the strictest answer to your question is no, websites do not actually store your password in the cookies that they
place on your machine. That would be fairly poor security, as then anyone with access to your machine could examine the contents of
the cookies and retrieve your password. I’m sure it’s been done, but most of the commercial services have hopefully moved to more
At a minimum, the password is hashed or encrypted, meaning that the cookie makes sense only to the service in question, and can’t be deciphered. Better yet, the cookies might contain some other kind of data not related to your password at all, but related to
information contained on the service’s computer. For example, the cookie might contain the number 12, and then the service can look
up in its table of currently logged in users entry number 12 and determine if you’re logged in, how long you’ve been active, and
whatever else they need to know to provide their functionality.
But you may still be at risk.
The information that’s kept in cookies or wherever is used to keep you logged in – so that you don’t have to login to see every
page, every message, every click in your webmail program. Even if you browse to a different site when you return it’ll probably
remember that you’re logged in for a while.
FaceBook URL: Leo’s Facebook
Twitter URL: http://twitter.com/askleo