[Regression] 1Password suggesting passwords from wrong subdomain

Chaos215bar2 · February 2020

I manage a domain with quite a few devices on separate subdomains, and use 1Password as a means to easily create and enter unique admin passwords for each.

Let's say I have two hosted at rtr.example.com and datastation.example.com. For each, I'll create an entry in 1Password, enter its domain (only the domain) under the "website" field, generate passwords, and go from there. If I want to login to rtr.example.com, I'll then just visit its admin page in Safari, activate 1Password, and its entry will then be at the top of the suggestions. If I then go to datastation.example.com and do the same, it should now be at the top of the suggestions, and indeed until recently that's what happened.

Now, if I login to rtr.example.com first, its credentials will persist at the top of the suggestions list for any website I visit hosted on a subdomain of example.com for some indeterminate time. If I then try to login to datastation.example.com, its entry will appear quite far down the list of suggestions. (There are a lot of passwords under the domain, and they seem to be unsorted aside from the first suggestion, which is now stuck as rtr.example.com.) If I instead login to datastation.example.com first, its credentials now become stuck at the top of the suggestions for any subdomain under example.com, and I'll have to search manually when I try to login to rtr.example.com.

This is very annoying behavior, and has changed recently. It used to be that the first suggestion when entering the password on any page always matched the full domain of that page. (i.e. An entry for example.com would always be near the top of the suggestions for anything under example.com, but, for instance, rtr.example.com would never appear as a suggestion outside of the rtr.example.com subdomain.) I hope I'm just missing a setting to disable this behavior, but it actually reduces the security of 1Password.

Because of this, 1Password may currently offer as a first suggestion a password which does not match the full domain of the page being viewed. Though rare, it's not impossible that this will be a website controlled by a different entity entirely. (Technically that's exactly what's happening in my example, though the security impact of accidentally entering the password for one device into another that I also manage is, at least, fairly low.)

1Password Version: 7.4.2
Extension Version: 7.4.2
OS Version: 10.15.2
Sync Type: Not Provided
Referrer: forum-search:subdomain

ag_ana · February 2020

Hi @Chaos215bar2! Welcome to the forum!

For each, I'll create an entry in 1Password, enter its domain (only the domain) under the "website" field, generate passwords, and go from there.

Are things working the way you want if you enter the subdomain as well, instead of only the domain?

Chaos215bar2 · February 2020

Each entry contains the full subdomain.

ag_ana · February 2020

@Chaos215bar2:

Thank you for the confirmation! I have let our developers know about this :+1:

ref: dev/apple/issues#1504

Chaos215bar2 · February 2020

Thanks!

@ag_ana, if there's any way I can follow the ticket you referenced, I would be very interested.

Ben · February 2020

@Chaos215bar2

Our issue tracker is private, sorry. :( But you're welcome to request status updates here on occasion. We may not be able to say much, but if a change is included in a beta or stable build we can let you know that.

Ben

mkopit · March 2020

Any update @Chaos215bar2 ? Have you been able to replicate the problem? I'm seeing the same behavior.

ag_ana · March 2020

@mkopit:

We have no updates to share since two weeks ago, sorry!

mkopit · June 2020

Anything new to report? It's been a few months and the issue persists.

ag_ana · June 2020

@mkopit:

Nothing else to report at the moment, sorry! Please keep an eye out on the release notes however: whenever we implement a fix, we will mention it there :+1:

jholtzman · June 2020

I have a related problem. My employer has two different login systems. One is for general access, one for access to more restricted systems (hospital and medical school). The general access system is accessed through weblogin.umich.edu, the other is weblogin.med.umich.edu. We are redirected through both systems countless times per day, depending on which resource we are trying to access. 1P always tries to use the credentials for the less restricted login. It is quite annoying to have to type passwords manually, kind of defeats the purpose. Please prioritize and fix this bug!

Ben · June 2020

Thanks for sharing your perspective, @jholtzman.

Ben

Mitchel · August 2020

I have the same issue, subdomain.domain.com shows logins from anothersubdomain.domain.com.

Btw, I switched a few times from my browser tabs and the first 3 times it looks like it shows all login from the same domain, and now it is showing the correct logins for the subdomain + domain.

I see you guys are saying, "oke we will tell the developers", but are you able to reproduce this issue? Because it looks like it does not has the same behavior every time, so it is hard to reproduce.

I hope my explanation will help!

Ben · August 2020

@Mitchel,

I have the same issue, subdomain.domain.com shows logins from anothersubdomain.domain.com.

My apologies for any confusion: that's intentional. It is supposed to work that way. :) 1Password matches based on the domain. Subdomains are used for sorting, but do not exclude logins from being suggested. The issue the OP was having is that 1Password should be suggesting the closest match first (with the exception of favorites, which are always sorted above other items), and that was not happening. We hope to have that fixed up soon.

Ben

[Regression] 1Password suggesting passwords from wrong subdomain

Comments