How does Suggestions Work?

bigfriggin

When I open 1Password from the browser plugin, how does 1Password determine which secret entry to show in "Suggestions" based on the URL in the browser? I'm trying to limit the number of duplicates in my database by putting the URLs of each internal company website in my "Domain Credentials" secret, but other secrets with unrelated URLs keep showing up in "Suggestions".

I remember in older versions of 1Password there was a configuration option for something like "strict URL matching in Suggestions" but I can't find anything similar now.

Basically, I'd like info on how to customize the Suggestions experience when using the browser plugin. Help?

---

1Password Version: 7.3.1
Extension Version: 4.7.5.90
OS Version: 10.14.6
Sync Type: 1Password Cloud
Referrer: forum-search:how do suggestions work

ag_ana

Hi @bigfriggin!

The main thing that 1Password looks at is the website fields in your 1Password items to know what to suggest to you. If you store the URLs for your entries in a different field ("Domain Credentials" in your case, if I understood correctly), 1Password will not be able to suggest the correct items for the website you are in, and will default to showing you even unrelated items.

AGAlumB

@bigfriggin: While we're not going to be able to share the code that does the rest as far as intelligently suggesting (non-Login) item based on the actual webpage, it's actually pretty simple, as far as website URLs: 1Password suggests Login matches for the current domain.tld; it will not show Logins which are for a different one. Otherwise a malicious website could trick you into filling credentials for another: your paypal.com Login will not be offered for filling at paypa1.com, as an example. I hope this helps! :)

Ben

Hi @bigfriggin

The item you've highlighted does have liftengine.com in a website field on it... it is in website 5. It is nearly cut off in the screenshot, but that's why it is being suggested. Any Login items that have website fields where the "root" domain matches will be suggested, but ones more closely matching should be given higher priority. If you had one login item with a website field containing https://help.liftengine.com/scp/login.php in this case that should be listed as the first match.

I really need to be able to enforce an exact suggestion match on *.domain.tld, not just domain.tld

That isn't something that we currently offer, but I'll suggest to the team that we investigate how to improve this type of situation going forward. It would be great if we could account for this without hurting folks who need it to work the way it currently does. For example, I have an account on the rit.edu domain. Those credentials work on all sorts of hosts on that domain (e.g. gibson.rit.edu, start.rit.edu, sis.rit.edu, etc). I wouldn't want to have to save (and thus update) those credentials for every host, when one Login should cover it. Essentially just as many if not more systems are setup just the opposite of what you're asking for.

Plus, there are all these non-login items like identities and credit cards, when none of these field of fields appear on the page.

Correct; identities and credit cards are always suggested on every page, but they should be at the bottom of the list.

Ben

AGAlumB

@bigfriggin: While Ben's example was a good one representative of what most users need (albeit not a domain I am familiar with -- apple.com versus appleid.apple.com would be a common example of where nearly everyone would expect the same Login to work on both), trust me: we also understand where you're coming from. We've got dozen of agilebits.com and 1password.com Logins ourselves and know that can get confusing sometimes. ;) We do, however, need to advocate for what will benefit the greatest number of 1Password users, even when it may conflict with our own personal use cases at times. I don't know what the solution is, but it's definitely not a toggle. We had one for a related feature years ago and it hurt a lot more than it helped, so we removed it. But we'll see if there's something else we can do in the future that might do more good than harm. Question: In your case, might it work for you to be able to designate a specific domain be treated more strictly? I can't promise we'll add a feature like that, but maybe it's worth considering. :)

littlebobbytables

Hello @bigfriggin,

Let's say I have two Login items for Amazon. The Amazon sign-in page is on https://www.amazon.com and one Login item correctly references www.amazon.com while the other only mentions amazon.com. If I access 1Password mini both will appear as they're both matches for the registered domain amazon.com. If though I use the keyboard shortcut ⌘\ it will always pick the www.amazon.com Login item as there is only one exact match.

Although I haven't done any large scale tests, if you like to use ⌥⌘\ to access 1Password mini (keyboard equivalent to clicking the toolbar button) then the following is what I believe holds true.

1. Any matches to at least the registered domain and our flagged as favourites. If more than one these will be ordered alphabetically.
2. Exact matches to the FQDN and are not flagged as favourites. If more than one these will be ordered alphabetically.
3. Matches to the registered domain and are not flagged as favourites. If more than one these will be ordered alphabetically.

So potentially three groups depending on the numbers and each group will always appear in that order. If you're seeing something else please say but my current understanding is this is the expected behaviour.

The trouble with adding extra options either at the global or individual item level is each new option increases the complexity of 1Password and we're painfully aware it already has a steep learning curve. We removed the option you're thinking of in 1Password 6 because all it did was cause confusion and I can't think I've ever interacted with a person that used it to good effect. Even if we claim something is an advanced option we have to weigh up the benefits from the support if it is misunderstood and misused. It's a delicate tightrope that if we get it wrong can make 1Password more difficult for a lot of people but with little gain. None of that helps but I hope you can understand why we sometimes need to be quite careful when adding new configurable settings.

littlebobbytables

Hi @bigfriggin,

For some very specific cases we have what we call domain equivalency. If you have a Login item saved for https://appleid.apple.com you would like it to appear when you're on https://www.icloud.com because that's another well known domain that Apple owns and uses. With the exception of Japan (I have no idea why I'm afraid) an Amazon account created on any of their domains works perfectly everywhere else. There are a few more but it isn't a large list at all. We have an entry on this list for ourselves as we own both of those domains. Now agilewebsolutions.com is before my time so I'm unsure what details there would make sense to associate with agilebits.com but I assume there must be a reason for its inclusion.

So the match is intentional even though I cannot provide a clear explanation as to what credentials would be transferable between the two. Sorry I don't have anything more specific for that particular case although I hope the why puts you at some ease.

AGAlumB

In 2011 I believe it was that we changed the company name from "Agile Web Solutions" to "AgileBits". Since we own these domains and moved to the newer one, accounts that referenced the old were migrated to the new one. So that's an "equivalent domain" in the most literal sense. Apple is a better example I think because it's one most people are aware of, using the same Apple ID login credentials for iCloud as well. And yeah, unlike those, I had to create a separate amazon.co.jp account. :lol:

jgoeders

It would be great if the best matching URL were sorted to the top. Right now I have separate credentials for https://xx.sample.com/siteA and https://xx.sample.com/siteB, and have these exact urls listed in the website field for the 1password entry. However the suggestions don't seem to show me the closest matching URL first.

I understand the need to handle equivalent subdomains and the such, so I know it is going to show me more suggestions than I would like, but it would be great if they could at least be sorted better.

And yes, I like the idea of marking certain domains as more strict. Not sure if that potential feature could also be applied to my example where it isn't exactly a subdomain.

lando__

@bigfriggin,
I have to jump on your bandwagon. The inability to isolate FQDN from basename is at best an annoyance, and at worst a basic feature whose absence is enough to warrant switching platforms entirely.

At this point I would gladly use some interpreter or ruleset (PCRE?) nested deep in some advanced menu that would allow for this. As it stands, the advanced features specified in the Preferences leave a lot to be desired.

@1Password, I truly mean this in the most positive way, if you intend to market this as an enterprise solution, FQDN segregation is a critical component. I can't tell you how many companies follow the URL scheme blahblahblah.example.com to access different resources. I'm quite surprised the demand has not yet reached a point where this implementation is not being seriously considered.

ag_ana

@bigfriggin:

This forum is the right place :+1: Thank you for the feedback once again! We will certainly keep it in mind as we continue making 1Password even better.

smackie

I was searching for a solution to this and stumbled on this thread so let me add a massive "oh god yes" to the request that @bigfriggin is making.

I have a bunch of devices on a network DMZ in a data center. All of them are x.foo.org which means that the suggestions are horrible for me when I'm trying to log on. As I have multiple logins for a lot of the machines (admin and general user), I have to pay very careful attention to whichever entry I've selected. Even worse, some of the machines are docker engines and have a ton of services, each with their own auth info.

The ability to define some explicit FQDN base names to 1Password (i.e. "foo.org") that should never be fuzzy matched would be a great addition. That way, I can add my DMZ info for 1Password get the explicit match I need.

By the way, whilst we're on the topic, the ability to specify that the tcp port should be in the match as well would be excellent. I accept that this is very much a "Pro" user request but the ability to be able to specify per-FQDN domain options ("Default, Match On Exact FQDN, Match on Exact FQDN + Port") would be amazing.

Cheers

schlappette

I'm a relatively new 1Password customer, and I'm casting another vote for the ability to segregate explicit FQDN in the suggestions. At my large institution, many of our web services are SSO, so I can use my domain credentials. But other services are unavailable to the general school population, so do not utilize SSO, and have their own discrete logins. I don't want 1Password yelling at me for re-using credentials, so I've generated unique, strong passwords for those stand-alone systems.... and then get over a dozen suggestions from the 1Password autofill, simply because the URL is x.school.edu. I would love to see the ability to define explicit URL/FQDN matching in 1Password!

ag_ana

Thank you to both of you for taking the time to join the discussion :+1: :)

mcarifio

The original question above was "how are suggestions made" and then a discussion of various improvements. I'd still like to read something that describes how suggestions are made and in what order and how the key/value pairs are used to populate a login form. I'm often confused by the suggestions made and by the values inserted by 1password. Some of that is probably pilot error (i.e. me), so I'd like to fix that first before suggesting more fixes like the one's above.

Then again I can't resist. In addition to @smackie's excellent suggestion to define a match, it would also be useful for the suggester to indicate how it matched, e.g. "Matched FQDN x.foo.com" and so forth.

mcarifio

How did the forum software figure out exactly what I look like? Spooky...

smackie

Then again I can't resist. In addition to @smackie's excellent suggestion to define a match, it would also be useful for the suggester to indicate how it matched, e.g. "Matched FQDN x.foo.com" and so forth.

To expand on @mcarifio's point, some indication of matching (for an FQDN with optional matching rules) would be useful.

And, altho I didn't really expand on it in the original suggestion but it would be helpful to see the explicit TCP port as a peer of the match too. For example, the two service URLs

   https://server.foo.com:3000
   https://server.foo.com:8086

match to wildly different things and there's no point offering one as a suggestion to the other (if the domain is flagged for extra careful matching). I'm always careful to have the proper URL in the login entry for these sort of machines to make sure that things don't get confused.

And the following

  https://server-a.foo.com:3000
  https://server-a.foo.com:8086
  https://server-b.foo.com:3000
  https://server-b.foo.com:8086

are all different endpoints and shouldn't fuzzy match against each other. In these cases, it'd be helpful to have a setting like

  foo.com = Match on exact FQDN + Port

as a setting. In that case, you'd have to match the URL locator completely to get a suggestion. For other environments, this would work

  foo.com = Match on exact FQDN

and would match the exact machine name but ignore the port. It would be helpful here to sort the matches so that if there is a port match, it shows up at the top.

Finally, the default is what we have right now

  foo.com = Match on Domain (Default)

Right - that's about as exhaustive as I can make this.

Cheers!

osrl

It's probably related to this topic: I cannot search other website fields.

I have multiple subdomains like subdomain1.domain.com, subdomain2.domain.com etc. When I search subdomain1 and press enter, 1Password will "open and fill". But It can't find subdomain2. So I can't "open and fill" other websites easily other than the first one.

osrl

It's probably related to this topic: I cannot search other website fields.

I have multiple subdomains like subdomain1.domain.com, subdomain2.domain.com etc. When I search subdomain1 and press enter, 1Password will "open and fill". But It can't find subdomain2. So I can't "open and fill" other websites easily other than the first one.

paxmundi

@smackie I can only second that and I deeply wish that this feature gets included soon as I am in the same situation as you.
Matching suggestions only with domain.tld while you have a passcard with the exact FQDN or even URL (with or without port) is ineffective.

ag_yaron

Thanks for chiming in @paxmundi .

Please keep in mind that most of our users are not as tech savvy as you guys, so when they visit one of the following websites, they need their login to show up even though they are not exactly the same website:

• apple.com
• support.apple.com
• appleid.apple.com
• iforgot.apple.com
• itunes.apple.com
• store.apple.com
• etc

That is why suggestions work like they do. The first suggestions you see should be an exact match to the domain you are visiting, after which it will suggest similar matches that might have a different sub-domain or prefix/suffix. If you mark login items as favorites, they will show up first on the list regardless of exact matches.

I hope you'll find this info useful for now until we get a change to improve things according to the feedback here.
Thanks again.

IrQX

Dear 1Password developers,

I've just bought an annual subscription and migrated to 1Password, and faced with this issue too (it looks more as an issue than as a feature).

As I understood from messages above and from my case this is a common problem for many users. When we are talking about SSO or any federated login 1Password has problems to filter/sort logins.
I am a developer too and have many logins (incl. for testing purposes) on different sites (subdomains)

• www.my.site.com
• test.my.site.com
• qa.my.site.com
• api.my.site.com
• etc

And I absolutely confident that I don't wanna to see all the accounts (>50) in a list. I would like to have the ability to split it according to the URL, like it supposed to be.

Instead of arguing about how it must work, I would like to ask you a "feature request".
Very likely logic described below almost implemented, but Visual splitter will increase UX.

I believe, it shouldn't be hard to implement, and it would be very appreciated by all users.

So, it would be nice if a suggestion list ordering will look like:

• Items which URL fully match (including path), aaa.bbb.ccc.com/path_to/something/
• Items which URL fully match, but without path component aaa.bbb.ccc.com
• horizontal line (splitter) as visual separator (if no items above - no splitter here)
• Items which URL partially match, ranging by subdomain level match ("zzz.bbb.ccc.com" should be upper than "qwe.rrr.ccc.com")
• ...

Thank you

ag_yaron

Thank you kindly for the feedback and feature request!

We already have such a feature request and this entire discussion is pinned to it so all of your additional information will come in handy to the developers once they get a chance to investigate the matter.

@bigfriggin The JSON and UUID in the advanced preferences are for unique troubleshooting that we must have in order to be able to help some customers. It is not for users but more for us as a last resort of troubleshooting with/for the users :)

Adding an "Enable strict domain matching" checkbox sounds great on the surface, but as we've come to learn from years of experience, a lot of users will turn it on without even understanding what it means, which will cause a lot more problems for them and provide a bad experience. This needs to be thoroughly thought out before being implemented.

ref: dev/projects/customer-feature-requests#31

cmlitton

Can the suggestions feature be disabled globally instead of per site?

ag_yaron

@cmlitton Yes, you can change the suggestions settings in the 1Password app's preferences -> Mini tab. You can set it to "All items" instead of "Suggestions" and it will then show you all of your items ordered alphabetically instead of suggesting specific websites.

If you mean that you don't want 1Password to show up on websites then you can disable it via preferences -> Browsers tab.

mcampos

Came here to see if there was a solution for this same issue. I work for an extremely large multinational corporation. We have lots of internal websites that have different logins; so matching suggestions based on *.bar.com is basically the equivalent to matching every login I have for the entire company -- dozens.

What I want is for suggestions to be a lot smarter, for example:
1. https://jira.foo.bar.com/ # Use my "Jira" login
2. https://gitlab.foo.bar.com/ # Use my "Gitlab" login

Also related: It would be helpful to enforce suggestion matching not only on the hostname, but also on the path. For example we have cases like this:

1. https://whatever.foo.bar.com/grafana # That's a login
2. https://whatever.foo.bar.com/helpdesk_tracker # That's a different login
3. https://whatever.foo.bar.com/monitoring_system # Yet another login!

All are on the same web server, but 3 different logins.

Seems like a few ways to implement this:
1. Give users a field where they can specify the URL/path that should match for suggestions (wildcard match, or a regex)
2. (less helpful, but still better than we have now) a checkbox that says "Match the URL exactly"
3. Have 1Password remember which suggestions I usually pick when presented with a given URL. i.e. it displays all zillion choices, but remembers "for jira.foo.bar.com, he usually picks 'Jira'" -- so list that one first.
4. As @IrQX mentioned earlier, order suggestions based on which one most closely matches.

Thanks.

ag_yaron

Thanks for the additional feedback and suggestions here @mcampos .
We'll forward it to the team.

In the meantime, I feel like you could really benefit from utilizing tags. If you add a tag named "Jira" to your Jira login item, when you call 1Password you can quickly look for "jira" and it will show the relevant login item(s) on the spot. That is extremely helpful when you have a lot of logins with the same base domain.

Also, suggestion #4 already exists - 1Password will suggest logins based on how well the URL matches. Exact matches should show up first unless you have others that are marked as favorites. However, exact matches only take sub-domains into account and not the path after the .com part.

mcampos

Tags aren't really helpful -- if I have to narrow by a tag, I might as well search for the specific login I'm looking for.

The fact that #4 already works is great news -- I will just add additional "websites" to the 1P entry to help the suggestions. Thanks; that will make a big difference.

ag_yaron

Sounds good @mcampos !
Thanks again for the feedback and input. :+1:

ag_yaron

Hey @bigfriggin .
Thanks for the additional input here.

I'm also a big fan of CMD+\ , which was the hook that got me into 1Password! It does work really well for the vast majority of users as they don't have more than one or two logins per website. However, things get a bit more complicated when a more advanced user have a lot of logins for the same website (or the same domain), and another system such as tags must be utilized to organize things better.

A book shelf is wonderful if you have several books and makes them easier to handle and find, but if you have a lot of books you'll need a library and a system to locate what you need quickly. That system is the favorites and tags in 1Password :)

As I mentioned in the past, this has been filed as a feature request and is a very popular one at that, so I'm certain we will see changes and new features on that front at some point, once our current roadmap is completed.

Thanks again for your valuable feedback! Much appreciated.

jaotto1172

Please just get this done... my local network has hundreds of devices with their own independent logins, all in the same tld, of course, because that is the way everything on the internet works except for a handful of giant trillion dollar corporations. It is beyond ridiculous that, although each of my 1Password entries has a unique FQDN, the item with the exact match shows up half way down the list of suggestions, behind many entries that are only tenuously related. Using favorites helps... a little... by restricting favorites to only the entries that I log into multiple times per day, I can get the correct entry in the top 20. Nobody is asking for rocket science... Exact match = Best match goes to the top of the list would fix virtually every problem, leaving the rest of the sorting algorithm alone.

Please. It's been years since this broke. It was so frustrating today that I started looking for alternatives to 1Password (NONE fo which seem to have this bizarre issue), when I stumbled on this thread.

I'm glad to hear that this is a popular feature request. Now, please, don't post any more apologies for why it has to stay broken. Fix it. Now. You know what to do. just do it. Please.