You’re reading Signal vs. Noise, a publication about the web by 37signals since 1999.

Maybe for web apps that cater to proficient users…

I still field customer service inquiries when a user’s Internet Explorer password manager has stored the wrong password and they are unable to log in. I’ve had to conduct Gotomeetings with these users to help them change their password remember feature. In my opinion, these users when using apps from a public computer, are unlikely to log out.

Maybe depending on what type of information the application handles. Certainly not for say.. mint.com (oooh! topical!)

Yes, the time has come.

We automatically remember our users. It saves them time and its a more enjoyable experience.

To be blunt, not at all. People are lazy and/or forgetful.

No. Period.

If not remove it, how about default it to checked instead of unchecked.

No.

You are assuming a very high level of technical understanding on the part of all potential visitors. It is better to err on the side of security, and avoid having a novice user to unknowingly remain logged-in.

Visitors with advanced skills will understand the implications of remaining logged in or not. Visitors with basic skills, who tire of having to log-in frequently, will learn that they can remain logged in, and then will be aware of their decision.

The checkbox can never be killed. There are too many situations where you don’t want a log-in cookie to be created (e.g. you’re at a friend’s house, at a hotel, etc.). But the “remember me” checkbox should always be checked by default.

I consider myself to be a rather bright and computer-proficient person, and I still sometimes just forget to log out.

If a web app has an option to log out of other sessions remotely, that might make it a bit more acceptable, but the only place I’ve seen that is Gmail.

I think this would be a mistake – people tend to be forgetful and, often, busy. All it takes is one time for someone to forget and the benefit of not having to click remember me won’t be worth it.

If you think about the user’s experience – checking remember me upon login is a one-and-done and the user will rarely/never have to think about it again. That’s not a big constraint when you weigh it with an auto-remember, possibly forget on a shared computer and have your data exposed.

I also think that the user won’t necessarily expect to be permanently remembered and they might just quit the browser to log out. Oops…joke’s on you, Mr. User!

I see the “remember me” checkboxs (or “don’t you forget about me” checkboxes) to be equivalent to opt-in mailing. I’m choosing to allow your site to modify my local environment for my convenience. But that is my choice to make, not one that should be forced upon me. That is, I should not have to choose to remove my session information from the machine I’m working on to protect my privacy.

I see… every 100 logins, 1 forgotten logout. I see every 100 forgotten logouts, 1 wrong person looking at somebodys stuff. Trading that for a little usability detail? Not worth it IMHO . Unless my designer mind has overseen some technical part that makes it all easy peasy to pull off… :)

No. We just had a customer complain that the “Remember Me” checkbox wasn’t working. He explained the problem by saying, “after I log out and close my browser, the next time I come to the site, I have to login again – it doesn’t remember me.” ... because he was explicitly logging out… he seemed to totally misunderstand the purpose of the Remember me.

So, perhaps there is a better way…

Does the login to your site allow access to view sensitive information (medical record), or allow sensitive action (purchase)?

Yes – Never remember the user. No – Always remember the user.

Besides the browser can store username/password.

It depends on the target audience and sensitivity of the data. For business web apps (like 37signals’ products), I don’t think that it is necessary since it would be unlikely to be used on a shared computer.

Generally, I like Amazon’s solution where it keeps you logged in, but whenever you do anything involving sensitive data (order something, view previous orders, etc) it asks you to login.

Not even close. It may be time to ask the users if they want to log out when they close the browser though.

I think the time has come. The users will adapt to the simplification of a login and everyone will be happy. I wish…

I think this particular functionality can be left for the browsers to take care of.

The more you use remember me, the more you forget about this thing called log out, so might be a bit dangerous.

I think it should still be an option, but should be ticked by default. This way it serves as both a reminder and a way to login with pace of mind when working on a public computer.

The time I think the most about the security of my account is when I’m entering my username and password. It’s nice to get done with it and not have to keep worrying about forgetting to log out while I’m trying to use the actual service.

first reaction: No, it most definitely not.

Not even close.

I had that same thought just yesterday when working on a new project.

It’s a hard question but I’d go with “depending on the sensitivity of the data”

No.

That is all.

In my observed experience, most people don’t even know there is a logout button. They simply close the browser window to end their session.

No.

Absolutely not.

The guys at Thoughtbot just recently had this conversation with their users not too long ago as well: http://robots.thoughtbot.com/post/164115286/remember-me

They were trying to decide what the default behavior should be for their Clearance Rails authorization plugin. They came down on the side of ditching the remember me checkbox: http://robots.thoughtbot.com/post/177133611/always-remember-me

Not that their answer should also be yours, but I kind of feel like as developers we don’t really give users enough benefit of the doubt. I mean, there will always be a case for keeping the remember me checkbox, because someone won’t understand why they don’t have to log in, or that they should log out, etc. The truth is, these users don’t know enough to make the right decision for themselves… mostly, because it’s a level of understanding about web applications in general that they don’t really want to think or care about.

Personally, I think this question comes down to, what do you think is the better experience for your user? No matter what you decide, it’s going to be controversial for some portion of your user base, but then again, they will get over it… and most likely, after a while, they won’t even notice.

To illustrate this, I am a web developer, fully aware of the implications of the remember me checkbox. In writing this comment, I tried to remember which sites I had checked the remember me box, and which ones I didn’t, and what were my reasons either way. My answer: I don’t know. I couldn’t possibly tell you which ones I checked and why.

This seems to me like another opportunity to shovel the hard decision off the developer and onto the user. This, ultimately makes it harder for the user to make a choice: http://www.ted.com/talks/lang/eng/barry_schwartz_on_the_paradox_of_choice.html

No, it’s not time to kill “Remember Me”.

I don’t care about Flickr or Twitter, but I don’t want bank website to fill automatically my password.

Has the time come to stop reminding people it’s against the law to smoke on airplanes?

How about just replacing it with “Forget Me”, I am assuming there are more people logging in from their own computer than public/shared computers.

Subjectively.

One solution is to remember them by default, but require a password for anything sensitive, similar to amazon or ebay’s system. It’s more secure this way.

Absolutely not. Most people are stupid.

At first I thought you were asking if it should be killed because now every browser saves username’s and passwords so there’s no point in setting a cookie to remember the user.

No, because all of us are stupid at times (better than “huurrrr peoplez suk lol”), and the risk is too great for some situations and some people. There could be a case for many apps/sites, based on the users and content.

It would be a good synopsis for a Horror Show.

The time has come to kill the “remember me” box… and just log people out after 10 minutes of inactivity.

Every time I go to the Apple Store, I’m logging some stranger out of their Facebook. So, no, sites should still default to not remembering logins.

The “people are stupid” comments are insulting to users.

I say “yes” for the vast majority of web apps. Bank of America and Mint.com exceptions are outliers.

The tradeoff is:

cleaner code fewer bugs better user experience encouraging good web habits treating users like adults de-cluttering the interface with an unnecessary option

vs.

less customer support due to user error providing a “have it your way” intelligent default (checked remember me or OpenID or Twitter Auth, whatever makes sense of the app), with choice.

No, not even close. Good design is forgiving – it makes up for people’s mistakes.

The costs of identity theft massively outweigh the benefit of more routinely skipping login screens.

The time you describe will never come.

No. But default the checkbox to checked.

That way I can make a concious effort to allow myself to forget to logout later, if I think I might.

No.

There will never become a time. Even the most tech savvy forget to sign out…

Apart from the considerations mentioned by others—which of the following is better:

A. having a sufficiently noticeable Logout link on every page to save displaying one checkbox or B. having one checkbox and a less prominent Logout link? Personally I think removing the Logout link would be a better path, it would have far greater impact and can easily be hidden in a ‘my account’ drop-down menu layer, akin to how signin/register often is.

No – the incredibly high risk for the few outweighs the very minimal gain of the many.

Amen. But even worse is the dreaded “how long would you like your session to be?” question you see on many forums.

For a long while I believed the best compromise would be to have “remember me” checked by default. Then I realized something. Every time I login – it’s either a site which I care a lot about, or a site which I would barely have reason to return to. In former case – I would login without thinking about “remember me”... Then next time login again… Then next time think “this site is now part of my daily routine – I should check that box”... In the latter case I would be staying out and forgetting I ever logged in, without security consequences. I started to feel that keeping that remember me clear makes more sense now.

No way. Users should have the option to not be remembered. It’s quite unobtrusive, especially compared to all the other crap on web pages these days.

Which reminds me, when is 37s going to fix the mother of all usability problems: no way to log in from the service’s home page?

@Clint Pidlubny: I like your choice. “Remember me” checked as a default.

Definitely not! 1) Never underestimate the simplicity of a user’s technical understanding (that’s why we have good UI) 2) You’ve thought about usability but not real world practicality. A lot of public terminals lock you out at the end of your time limit using simplistic time tracking programs. So not everyone is going to logout on time.

Rather than ‘remember me’ or ‘forget me’ I’ve seen some sites that have a checkbox that says ‘I am on a shared computer’.

Great for people like you and me, but Joe Bloggs will find himself asking ‘what is a shared computer and why is it relevant?’ probably causing more confusion than it’s worth.

Most browsers these days give the user the option to save their username and password so I prefer to not display the ‘remember me’ option and only use a session cookie that deletes when the browser has closed.

In applications that require serious security features (i.e. online banking) I also like to the idea of automatically logging the user out after a few minutes of zero activity.

I’d still say NO. I think it’s still very dangerous to assume that users will sign out when they leave publicly shared computers.

We must kill password confirmations first.

No, because the problem it solves has got nothing to do with technology.

No way. The risk (potential danger to forgetful people) is way too large in comparison to the reward (saving a single click on a check box once every few days/weeks).

No. If I log into a bunch of things while at an Internet café, etc, why do I want to browse around several services to check I logged out of all of them if I don’t need to? With my OCD as it is, that’d be a nightmare ;-)

Security issues are tough, I’d say this needs to stay in.

Um, what was the reason for not having it you just gave? -

“assume that people using shared computers will simply logout”

Are you INSANE ? “people” will not know they have to/remember to log out and then will blame designers for not protecting them from the bad internet.

Also tech-savvy users forget to log out too. It stays.

There’s a reason why car’s don’t drive themselves (and they could if we really wanted them to) – we humans like to be in control of our own actions. Better to let people decide they want to allow anyone who opens the web browser to have access to their email than to just do it – in my opinion.

Much much better would be a unified login system that meant we didn’t have to keep typing the same details on every web page. They exist but to me seem more trouble than they’re worth.

Not sure if “Remember me” makes much sense to average users and if it’s checked much. I’ve also seen “Remember me on this computer” which is also a bit abstract. How do you get the point accros without getting overly technical and in a few words?

It reminds me of the three digit credit card security code question where the put “what is this?” to the right of the field and a pop-up window explains with an image.

If we are talking from a mobile device… yes. Actually in general yes. I believe that is the way that Google does it.

It seems obvious that if you are using a public computer you’ll need to logout when you are done.

Yes, definitely. Except for the few of us who have 14 year old msn-using teenagers at home that try to log-in on whatever computer they can get their hands on…

Kill the Remember Me checkbox, replace it with an un-checked by default “Is this a shared computer?” checkbox at log-in.

It’s worth remembering that most of the people reading and commenting here will be above-average tech savvy people, many of whom work in web development. Of course we understand the process of logging in/out, cookies, user security etc, but someone like my mum doesn’t. She just wants to get into her Hotmail account each time she boots up her computer, so a ‘Remember me’ checkbox is very useful. She doesn’t understand what the difference is between logging in on her home PC and using the one at the public library.

Also worth bearing in mind is that the internet has certain conventions and these have created user expectations. ‘Remember me’ checkboxes have been around for a long time and so to get rid of them or change them drastically could have a big effect on user expectation. People are far more accustomed to the act of checking the ‘Remember me’ than they are to logging out. As far as Joe Public is concerned, once they close the browser, they are logged out.

Plus, although we like to think people are clever enough to know, to some extent we have to cater for the ‘worst case scenario’. I’ve known people who truly believe that if you don’t check the ‘Remember me’, they’ll be logged out as soon as they try to go from the login screen to their inbox.

In short, it’ll depend on who’s using your site/app, but to suggest wholesale removal/functional changes on sites used by the masses, the cons far outweigh the pros.