Cookies are a mainstay of a convenient online experience. A cookie doesn’t store passwords but keeps a unique identifier for websites to remember you. If you clear your cookies, you’ll be logged out of the sites that use them and have to enter your login information again.
Let’s look at five frequently asked questions about cookies and passwords to understand better how they work together.
1. Do Cookies Store Passwords?
Most people have heard of the risks of web cookies to user privacy. In fact, many think that cookies store passwords. Are they right?
Cookies do not store passwords. Cookies help websites “remember” that you’re logged in, so you don’t have to enter your credentials every time you visit. The design of cookie storage makes persisting passwords inside them insecure.
So, if cookies can’t store passwords, how do websites use them to remember your login information?
Good question. The answer lies in what is called a “cookie-based authentication.” It works like this:
- A user, Chris, gives a username and password at the time of login. The browser (suppose Chrome) sends a login request to the server.
- The server validates the login by looking up the username Chris in the database, hashes the supplied login password, and compares it to the previously hashed password in the database.
- If Chris exists in the system and passwords match, a session is generated with a unique Session ID (let’s call it a SID). The server does two things with this SID. One, it attaches it to Chris’s user account in its database and will use it to uniquely identify Chris.
- Second, it attaches an expiry time to the SID and returns it to the browser in a cookie. The cookie is valid for as long as that expiry time dictates.
- When Chris goes to another page on the website that requires login credentials, his browser will send that cookie along with the request.
- The server looks at the SID in the cookie, verifies that it’s still valid (not expired), compares it to the SID in its database for Chris’s account, and sees that it’s a match. The server then knows that Chris is the same person that logged in last time and can serve him the appropriate content without making him log in again.
So, while cookies cannot store passwords, they can use them to create a kind of “passwordless” login system.
2. Can You Get Passwords From Cookies?
A cookie is a means to what tech enthusiasts call “client-side storage.” It gives memory to browsers and servers by storing data on the user’s computer (with their permission, of course) and retrieving it when necessary.
Let’s take a closer look at the kind of content cookies are capable of storing. Spoiler alert: Cookies’ content does not include passwords; therefore, you can’t obtain passwords from them.
The content of a cookie is nothing more than a small piece of text. A simple cookie would appear as follows:
Name=Value; Host=example.com; Path=/account; Expires=Tue, 1 Dec 2018 10:12:05 UTC; Secure;
Cookies have six parameters that can be passed to them:
- The name of the cookie: The name given to a cookie sent by a particular server. This uniquely identifies cookies to a specific server.
- The value of the cookie: The information the cookie is responsible for sending between your computer and the server. The data can be in clear text but is usually encrypted or obfuscated for security and privacy reasons.
- Host: Tells the browser which server from which the cookies came. This allows the browser to send the cookies back to that server during future communications.
- The path the cookie is valid for: Sets the URL path in which the cookie is valid. Web pages outside that path cannot use the cookie.
- The expiration date of the cookie: The expiration attribute contains a date and time string announcing when the cookie should be invalidated. The value in the expires attribute distinguishes session cookies (which disappear when you close your web browser) from persistent cookies (which stay on your computer until they expire or you delete them).
- The need for a secure connection: This flags whether the cookie can only be used on a secure website, like one that uses SSL.
Cookies are generally harmless but can be dangerous if they fall into the wrong hands. Some people have been known to steal cookies to access people’s accounts on websites.
But wait, how can they access people’s accounts using cookies if cookies don’t contain passwords?
The answer is: A hacker can copy cookie data and use it to impersonate someone.
Suppose you sign into a site using public WiFi since session cookies are not encrypted. A hacker can copy your cookie data and use it to impersonate you and get into your account. It doesn’t happen often, but cookie theft is a risk to be aware of.
3. Does Clearing Cookies Log You Out?
Cookies store information that websites use to remember you as a returning user. This way, you don’t have to log in every time you visit the website. If you clear your cookies, the website will not remember you anymore, and you will have to log in again.
Let’s use door locks as an example for those unfamiliar with web apps. (thanks to security.stackexchange.com).
“Your account on a website can be seen as a room in a building. When you log in, the building’s owner creates a door and puts an automatic lock on it so only you can enter.
Your session token is your key and is typically stored in your browser’s cookies but can be stored elsewhere.
Discarding your token by deleting your cookies, clearing cache, etc., is simply destroying your copy of the key. “
So, the next time you want to enter, you’ll have to start the process over by logging in again, and the building owner will give you a new key.
4. Does Clearing Cookies Delete Passwords?
“I need to clear my cookies, but I really don’t want all my passwords to be gone as well. Any way to do that in Chrome, Edge, Brave, and Firefox?”
This is a valid question, especially since many of us have multiple accounts with various passwords.
Clearing cookies will not delete passwords. In all browsers, passwords are stored in their built-in password manager and not in cookies. In most cases, users will need to sign in again to websites that require authentication.
Assuming you elected to save those passwords in the browser’s password storage, they will autofill as usual.
I recommend you not use your browser’s password storage (it’s better than nothing but…). Instead, use an open-source password manager like Bitwarden or KeePass. This compartmentalizes your sensitive logins away from, for example, a hack of your Google account.
5. How Do I Delete Cookies Without Losing Passwords In Chrome?
Browsers store both saved passwords and cookies in what is called cache memory.
Cache memory is a high-speed access memory where a copy of frequently accessed data can be stored so that it can be quickly accessed the next time it is needed.
These are the steps to clear the cookies without clearing the passwords.
Step 1: Open Chrome and Click the three dots in the top-right corner of the screen.
Step 2: Select Settings from the drop-down menu.
Step 3: On the settings page, select the Privacy and Security tab
Step 4: Click on Clear browsing data under the Privacy and Security section.
Step 5: A new window will pop up with clear cookies checked.
Step 6: Select Advanced at the top of the pop-up window and uncheck saved passwords, and clear data
Now, all the cookies will be cleared from your Chrome browser without affecting the passwords stored in cache memory.
Cookies can help make logging in easier, but they don’t take away the importance of having secure passwords for all your online accounts.