How can I change the scope of a password?

1Password automatically recognizes the domain and providing the same password for all subdomains. However, sometimes you have different accounts in every subdomain.
Example:
sub1.domain.com --> account1
aub2.domain.com --> account2

Default behavior is to show all accounts for the domain (in the example "domain.com"), making an additional interaction necessary.
How can I change the scope of "account1" to match only on "sub1.domain.com" and not on "sub2.domain.com"?


1Password Version: 4.6 (Win), 6.3.1 (Mac)
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:How can I change the scope of a password?

Comments

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    This matching is controlled globally only in the 1Password preferences under the Browser tab on Mac. Make sure the "Allow filling on pages that closely match saved websites" checkbox is unchecked. That should create the behavior you're seeking. Let us know how it goes.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits

  • Well, that sounded promising. I checked and found it was already unchecked. Out of curiosity I checked the box and it is exactly the same behavior like it was checked. I also restarted the browser each time, but not change there. Any other idea?

    Also I mainly use the relevant sites from a Windows system. Will there be a similar setting (maybe in the next version)?

  • jxpx777jxpx777 Code Wrangler 1Password Alumni
    edited August 2016

    @ckiechle Can you let me know what site you're testing this on? We have some rules in the app that apply to some special domains like apple.com/icloud.com, so I'm wondering if maybe there's a snafu there.

    I thought this was available on Windows, but I'm asking one of our Windows specialists to either confirm or correct me on this. Update: It looks like our Windows app does not have this capability. We have options for specifying that two domains are equivalent to each other or how many items are shown in the list initially, but not whether it should prefer Logins that match the current subdomain… :(

    --
    Jamie Phelps
    Code Wrangler @ AgileBits

  • it is for domain on24.com. Subdomains: e.g. intelvs.on24.com, wcc.on24.com

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    It seems I'm unable to access those sites, but in any case, I can say we don't have any special handling for on24.com, so we should just behave in the normal way. Let's start with the default scenario, which sounds like what you're after.

    On Mac, make sure "Allow filling on pages that closely match saved websites" setting is unchecked. Create a Login with a single URL of http://intelvs.on24.com and another with the single URL of http://wcc.on24.com. (If you already have Logins that match this setup, then those work for this purpose.)

    Visit intelvs.on24.com and click on the 1Password button in your browser. It should show the Logins that have a URL with intelvs subdomain first in the list. Likewise, if you visit wcc.on24.com and click the 1Password button, it should show the Logins that have the wcc subdomain first in the list.

    If you were to enable the "Allow filling on pages that closely match saved websites", then there would be no such preference for matching subdomains and all on24.com Logins would show, first any Logins marked as favorites and then alphabetically.

    Can you give this a try and let us know if what I'm describing matches what you see?

  • thanks for those details. I can confirm that I see what you describe.
    I would like to raise a "enhancement request" if that's allowed.
    I would like a setting per login to match only on a exact FQDN or URL (maybe a pattern). That should be optional (default should be the current behavior).

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    I don't think we'll make it an option at the item level. Honestly, just the two behaviors I described already cause quite a bit of confusion, so adding to the ways that this could be mucked with is unlikely to make things better. Moreover, the way this is stored and retrieved later is with hashes of those FQDN and base domains, so there wouldn't be a way to grab additional information about how the item would want to be included or excluded during the lookup or without decrypting some of the data from the item.

  • Honestly, just the two behaviors I described already cause quite a bit of confusion

    As a new 1Password user, I suspect the naming of the "Allow filling on pages that closely match" option is what is making things more confusing than they need to be.

    Initially I thought I want the option enabled. I mean, of course I want smart URL matching! Then I was disappointed that 1Password wasn't clever enough to prioritize exact domain matches. Turns out I needed to disable the option, and 1Password would still fall back to higher-level domain matching as needed. Perfect.

    So, by default, 1Password already does what the option seems to be there for.

    Maybe consider renaming it? If I understand this correctly, all it does is prevent exact matches from being prioritized.

    What's the use case for such a thing, anyway? In the seemingly rare case where you need to completely ignore subdomains of a particular domain, you could just scrub the subdomains from those login items and have them all point to the main domain.

  • brentybrenty

    Team Member

    As a new 1Password user, I suspect the naming of the "Allow filling on pages that closely match" option is what is making things more confusing than they need to be.

    @carrer: You may be right to some extent. We're always open to suggestions. However, I'm pretty confident that the problem is a bit different. We used to have different names for that setting, but that didn't help, whether they were more or less descriptive. The real issue, I believe, is that login matching is just too dang complicated. Different people want different things, and we've built how this works over many, many years, to the point where it's super complex to explain — especially within the constraints of a checkbox description.

    What's the use case for such a thing, anyway? In the seemingly rare case where you need to completely ignore subdomains of a particular domain, you could just scrub the subdomains from those login items and have them all point to the main domain.

    That would annoy a lot of people, primarily developers/admins who often need/want to use a single login across many subdomains. And getting rid of the subdomains isn't really an option, as those are important to others who want things matched as closely as possible.

    It's really easy to add new features, but much more difficult to take them away. That's why we try to be careful about doing that (or adding settings) in the first place, and set sane defaults that will work for most people.

  • primarily developers/admins who often need/want to use a single login across many subdomains

    I hear you. In fact I'm a developer too. And I'm certainly not suggesting removing an existing feature. I was just curious if I had understood the option correctly.

    I mean, if I have a single login that works across several subdomains, the thing works just fine out of the box – that is, without the lenient matching option enabled.

    Let's say I've got logins saved for one.example.com and two.example.com. The option would seem to come handy only when I would like both logins to pop up regardless of which of these domains I'm currently on. I have to say I've never encountered such a case. If I didn't want to target a specific subdomain, I would have saved those logins as just example.com to begin with.

    That's why I'm saying the label maybe isn't ideal. It sounds like something you want enabled, when in reality it's there to accommodate what to me seems like a marginal use case. (And it certainly should be settable on a case by case basis instead of globally.)

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    I personally dislike the label we have there as well, but we have tried so many different labels for that setting over the years and this is the least confusing about what part of 1Password it impacts. "Lenient URL matching"? What does that mean? I forget what other terrible labels we have had there in the past, but mostly it caused users confusion about what the thing was even talking about, never mind how it worked or what its impact would be.

    The trouble is that the best phrasing of this setting, "Prefer Logins that match the full hostname" or "…that match the subdomain of the current page" are still too technical. Most users—not developers like you and me and in many cases people that have been dragged into the computer age and then the internet age—don't know what a domain is, and consequently the word "subdomain" makes even less sense.

    But even that is not the whole story because there are some sites whose domain name counts as a suffix. One instance is herokuapp.com. When you visit exampleapp.herokuapp.com, 1Password treats this as a different domain entirely from coolapp.herokuapp.com. Your Logins for coolapp won't be available on exampleapp and vice versa. (We talked a bit about this back in January in case you're interested.)

    We have really smart writers on our team and they have struggled mightily to give this setting a name that is meaningful to the majority of 1Password users. So far, the current wording is the best we have come up with. If we do ever end up making a change here, it will probably be to simply remove this setting entirely. Perhaps we would keep the underlying logic around and allow a hidden setting for people that really really really "need" this functionality, but who's to say for sure.

    Right now, we don't have plans to make any changes here, but every time I have to explain what this checkbox is and how it works, I am reminded of how much pain a simple little checkbox can cause and the danger of saying yes to features that are "simple" or "just a setting".

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas

  • brentybrenty

    Team Member

    @carrer: I hope you don't mind, but I wanted to follow up on the excellent example you gave, in case this helps you or anyone else:

    Let's say I've got logins saved for one.example.com and two.example.com. The option would seem to come handy only when I would like both logins to pop up regardless of which of these domains I'm currently on. I have to say I've never encountered such a case. If I didn't want to target a specific subdomain, I would have saved those logins as just example.com to begin with.

    I'm with you there for the most part. That's what I tend to do in many situations because I do most of my navigating in the browser, not opening logins from 1Password itself — I'm already at the page and just want to fill the credentials.

    But many people want to save the exact URL, not just the domain, in their Logins so they can click it and have 1Password take them right there to fill and submit the form. For a lot of people, this is the whole reason they're using a password manager. Personally, I usually have autosubmit disabled, but that really makes me an outlier — and perhaps a bit of a pariah here. Cheers! ;)

This discussion has been closed.