I’ve been unable to find any research or information on this.
Google periodically signs me out and forces me to sign back in. I have multiple devices and multiple google accounts so it’s a bit frustrating but that’s just how it is. However I was thinking about whether this practice is actually secure.
- It seems to encourage easy-to-remember / easy-to-type passwords over longer stronger passwords
- There’s more chance for a keylogger to intercept a password
- There’s more chance for a physical observer to watch you enter a password
- It may desensitise users and lead to them automatically entering their password without checking a url
How does this balance this against the inherent insecurity of indefinitely extending a login’s lifetime?
It’s worth noting that Google doesn’t ever log me out of my mobile device – I wonder why it treats this environment differently? Security vs UX concerns?