Problems with different websites using the same cloud shopping cart

My wife ran into a possible problem today. She is a member of several different websites that use a cloud shopping card called 3dcartstores.com. She almost updated a password on a different website because 1password wanted to update a different website.

The URL that each of the websites is different, but then the shopping cart add ".3dcartstores.com/blah blah blah" after the website address. So it looks like this.

Firstwebsite.com.3dcartstores.com/blah blah blah
Secondwebsite.com.3dcartstores.com/blah blah blah

I don't have the actual websites handy, but I did look through 1password and that is what I am seeing. 1password calls them similar even though they are totally different websites. With more small business's possibly going to the cloud for shopping carts, I see this as a problem that will increase in volume.

The websites are small businesses or people just selling different things as a hobby. My wife happens to purchase items from smaller businesses. Right now, there are only 2 websites that she has run into, but she is still transferring her passwords from paper to 1password, so there might be more.

I told her she needs to watch it closely for now.


1Password Version: 7.3
Extension Version: 684
OS Version: Windows 10
Sync Type: 1password account

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @CurtTerp: Thanks for getting in touch! I'm sorry for the trouble. Just to make sure we're on the same page here, it sounds like you're saying that the URLs involved are something like https://Firstwebsite.com.3dcartstores.com and https://Secondwebsite.com.3dcartstores.com. Is that correct? If so, those are all technically the same website, part of the same domain (3dcartstores.com) owned by a single company, and 1Password needs to treat them as such. Imagine if Login items users saved in 1Password for their Amazon accounts didn't work at https://smile.amazon.com because they happened to have originally saved them at https://www.amazon.com instead? There are plenty of other examples like that because it's how the web fundamentally works. Having 1Password behave differently for a specific website like this may be desirable for your use, but would have much more far-reaching repercussions for others. For now, I'd suggest naming the Logins that need to be kept separate in such a way to make it easy to differentiate between them. And if that company wants their site to be treated differently than the standard for the web, they can also submit a request to be added to the public suffix list, which is well known and 1Password also incorporates for domain matching. I hope this helps. Be sure to let me know if you have any other questions! :)

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @CurtTerp,

    Just to add to what Brenty has covered. Should the worst case scenario occur, the password for the wrong site is updated all is not lost. Each Login item records the password history of that item. The button isn't present until there has been at least one password relegated from being the current password to an old one but once that happens a button should appear that reads something along the lines of View Password History

    It does sound like the site 3dcartstores.com (or whatever their domain is) would benefit from getting themselves added to the public suffix list but that is something they would need to do as owners of the domain.

  • CurtTerp
    CurtTerp
    Community Member

    Thank you both @littlebobbytables and @brenty for your response. I do know how the internet works since I have been on the internet for over 25 years. I also have been a 1Password user since v5, and just upgraded to v7 family since v6 will not fill passwords in for me when the new macOS (Safari) is released next month.

    I can also see that I didn't explain the differences that I see very well, so I will try to explain it better now.

    A few years ago, Comenity has been purchasing banks that carry branded credit cards. We actually have 2 credit cards that were purchased. Below is the URL for the different cards.

    https://d.comenity.net/bergners/
    https://c.comenity.net/catherines/

    When I click on one or the other, depending on which one I clicked, 1Password would show both accounts, but the correct account would be highlighted. If I changed the password, the popup would show the correct account under the existing tab. So 1Password would show both, but it would highlight the correct one for the website.

    Now the URL for the websites shopping carts I was writing about are below.

    https://fromtheneedleofanne-com.3dcartstores.com/
    https://pnw-embroidery-com.3dcartstores.com/

    When my wife logged into the first URL shopping cart, the popup showed the account for the second URL and asked if she wanted to update the existing account in 1Password. She happened to catch it and hollered for me to come and look. I was a little confused at first because I never saw that problem at all. When I looked into the specifics, I noticed each of the URL's, and unfortunately I was in a hurry to get going to get some shopping done, so I rushed my first post.

    I don't know if it is technically possible to look forward past the first dot to the referring website or not. I don't know what is under the hood, and I am not that familiar with JSON and website programming. I think that smaller businesses might go to this or other cloud type shopping carts because it is less maintenance for them.

    I hope that I explained the behaviour that I am seeing a little better this time around.

    Thanks again for the comments.

    Have a great day!

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hello @CurtTerp,

    I'll need to do some testing but I think I know what may be happening.

    When 1Password lists matching Login items for filling as a minimum it requires the domain matches. In the case of the stores it's 3dcartstores.com. 1Password will list any that match against this but when sorting the list it should favour exact matches over inexact ones. So if you're on fromtheneedleofanne-com.3dcartstores.com it would list it first and then pnw-embroidery-com.3dcartstores.com. Visit pnw-embroidery-com.3dcartstores.com and the order would be reversed.

    The last time I remember discussing the update existing dialog I do remember whether 1Password should try to be intelligent about the default selection and as long as my memory isn't misbehaving I think we picked the first matching Login item from the active based on alphabetical ordering of the title. I will need to test this to confirm though. What I think we're not doing is favouring an exact match over an inexact match based on the URL. If we're not my first thought is this should be relatively easy to implement and I suspect not a contentious call. I could be wrong though, there may be arguments made that this isn't a trivial improvement for whatever reason but I would hope this isn't the case.

    I still feel ultimately the best move though would be the shop provider getting themselves added to the public suffix list. That would mean only the one match appearing for both filling and saving given the intent is for every subdomain of theirs to be isolated.

This discussion has been closed.