[Bug] Subdomain mismatch causes credential leaks
In our company we use a lot of subdomains which must be kept separate. But we started using 1Password recently and the domain matching is causing issues. Both from a usability perspective and from a security perspective.
A 1Password item with domain "customer.application.ourdomain.com" must never be able to match "another-client.application.ourdomain.com", yet this happens all the time and it is both irritating because the autocomplete list gets very long and that credentials are sent to the wrong server, which is bad, because then credentials may need to be reset due to different security levels on different servers.
What can we do to improve this situation? I remember that there used to be a setting for this, but cannot find this right now.
1Password Version: 8.9.5
Extension Version: 2.3.7
OS Version: Windows 10
Browser:_ Firefox
Comments
-
Anyone know of a way to fix this?
0 -
Hey @nciiis,
1Password currently only suggests items based on the root domain. I can see the value of having 1Password suggest only exact matches based on their subdomain, especially for the use case you have described.
We have an internal open request to support advanced matching rules for autofill so I have added your feedback to this discussion.
By default, 1Password should show the closest matching Login based on the subdomain as the first result, with any subsequent matching items below. If you find you're using a specific Login more frequently than others, you can add it as a favorite which will make sure it's always displayed as the first result regardless of the subdomain.
I hope this helps, thank you for your feedback.
ref: IDEA-I-57
0 -
Thank you. It helps by giving us knowledge, but not by reducing our actual risk or improving usability.
I could have sworn that in previous years 1Password was better at detecting proper domains, has there been a known regression?
0
