Great write up. It was interesting to see what other’s responses to the questions were.

I just wanted to mention that I think having the ‘remember me’ checked by default would be a bad idea. If it is off by default and you want to be remembered, you only have to remember to check it once. But if it is on by default then you would have to uncheck it every time you logged in.

I also think that password theft was not mentioned because it is usually not the websites themselves that are involved and instead are ‘hackers’ just compromising accounts via dictionary or brute force attacks. If word got out that a website was storing plain text passwords, let alone letting them get out into the wild, that website would quickly become a wasteland. Not something website operators are aiming for in this day and age when everyone is trying to be the next big thing.

/2c

J

Interesting research. I wish I had seen it to participate.

Another factor to consider is the actions the user is taking – as you mentioned briefly regarding LinkedIn.

While I may want a website to remember me for my preferences when I visit, if I am changing my account information – or even deleting my account – I would like a site to reauthenticate me.

I think there is a definite case for action-based authentication prompting rather than simply website-based as the risks of various actions varies. The ultimate would be allowing people to decide when they wish to be prompted to authenticate by action – however I would only expect a few people to customize these settings.

In future research it would also be interesting to look at cross-website authentication, such as via OpenID or the myriad of sites that prompt log-in via Twitter or Facebook (and may post things to your timeline).

I wonder how worried people are about these services gaining acccess to passwords – and potentially keeping or even selling them.
Cheers

Craig