Stricting URL matching for subdomains ?

timtam300
timtam300
Community Member

Is there a way to make URL matching more strict? It's quite annoying when it comes to sites such as https://ca.gov that have many separate sites hosted as subdomains. For instance https://dmv.ca.gov or https://ftb.ca.gov. I have numerous logins saved and going to any *.ca.gov site will show them all rather than the specific saved login for that subdomain. Any way to get around this?

Thank you!


1Password Version: 6.8.6
Extension Version: Not Provided
OS Version: Mac OS 10.13.2
Sync Type: Dropbox

«134

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @timtam300: No, as ca.gov is the same site in all of your examples; you're just accessing different resources. However, there are two things you can do to simply things for yourself:

    • Use the correct URL in each login item. For example, don't save https://ca.gov in the login if you only want to use it for https://dmv.ca.gov
    • Makes sure that "Allow filling on pages that closely match saved websites" is disabled in 1Password Preferences > Browsers. That will ensure that the exact match (https://dmv.ca.gov) will be shown at the top of the list, rather than having all logins matching the domain (https://ca.gov) shown as top matches.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • joshcoast
    joshcoast
    Community Member
    edited May 2019

    I'm not seeing that option in 1Password Preferences > Browsers. Has it changed locations? I'm a web developer and we often use URLs like http://great-client-site.dev.our-test-domain.net, http://other-great-client-site.dev.our-test-domain.net, etc. for all kinds of different clients, all of which utilize CMS's like WordPress and need logins.

  • Hi @joshcoast

    We no longer offer such an option as it is the default/only behavior now. 1Password will always do what it did with that option enabled at this point. What seems to be the difficulty you're having with such sites?

    Ben

  • gregsly
    gregsly
    Community Member

    I can second Josh's comment, in that when I visit one subdomain at my company's demo-url, 1password offers other subdomains and uses the term "close match" even though they are different except for the top/second level domains. I am on v7.3.684 and seeing this behavior.

  • Ben
    Ben
    edited May 2019

    That is the correct/intended behavior, yes. It should list the closest match first, though.

    Ben

  • ColdBlue
    ColdBlue
    Community Member

    1password is broken with subdomains and does not match correctly. On our company network there are many different services running at many different subdomains. When you update a password for a site at one subdomain, 1password just randomly picks one of the other sites and asks if that should be updated. It doesn't try to match at all and its a huge hassle to have to scroll through 20 sites to find the right one to update.

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @ColdBlue! Welcome to the forum!

    While 1Password will show you the list of all logins if they use the same domain, it should still show you the one with the correct subdomain at the top of the list. Is this not what is happening to you?

  • chrismnz
    chrismnz
    Community Member

    This doesn't work for me. 1P (7.4.4) does not match to the closest match. It seems to match to some combination of domain and last used login. Quite frustrating. It used to work well but seems broken now.

  • ag_ana
    ag_ana
    1Password Alumni

    @chrismnz:

    Is this happening with a specific website or have you noticed it with all of them?

  • ast23756
    ast23756
    Community Member

    Same behavior: broken strict url matching for ANY level 3 subdomains
    my environment: windows 10, 1p for windows 7.4.763, firefox plugin 1p x 1.18.1, firefox version 74.0 x64
    see images here
    https://www.evernote.com/l/ABxWjv5DAjZLUo6YIb4XmL0leoROcqi9W8o/
    I have filed a ticket to support also.

  • Ben
    Ben
    edited April 2020

    Hi @ast23756

    That's working as intended. The issue that may be outstanding is the sort order, but it is intentional that logins for anything.domain.tld are displayed when visiting anythingelse.domain.tld. We do not have plans to change that. What we may be able to address is the closest match being listed first, e.g. if you are on discussions.agilebits.com then the login with that URL saved should be listed higher than one for someotherservice.agilebits.com.

    Ben

    ref: QMA-19726-912

  • ast23756
    ast23756
    Community Member
    edited April 2020

    Hello @Ben,

    Strongly agree with your point that closest match should be listed first, may be even add some visual separation between first closest match and other available logins. It would be great to see this improvement in one of the next 1p releases.

    Also, would you be so kind to expend on what is the reasoning behind "logins for anything.domain.tld are displayed when visiting anythingelse.domain.tld"?

    My vision: If anything.domain.tld is an atlassian confluence knowledge base and anythingelse.domain.tld is the vpn router gui how do these logins can help each other? The only scenario I can imagine is that some organization uses some internal authentication system, so that all employees use same credentials to login to different services on *.org-domain.tld. But does having several SAME login/password pair entries in 1p is worse than having all other customers with my scenario to cycle through the list of useless logins every time they need to login to anythingelse.domain.tld?

    Is that possible to add an option so that logins for anything.domain.tld ARE NOT displayed when visiting anythingelse.domain.tld ?

  • Is that possible to add an option so that logins for anything.domain.tld ARE NOT displayed when visiting anythingelse.domain.tld ?

    While technically possible, we've decided against doing so. 1Password is already a fairly complex product to use, and one of our current goals is making it more accessible. Throwing in options about subdomains (which most users will not even know what that means) would be counter productive for that goal.

    My vision: If anything.domain.tld is an atlassian confluence knowledge base and anythingelse.domain.tld is the vpn router gui how do these logins can help each other? The only scenario I can imagine is that some organization uses some internal authentication system, so that all employees use same credentials to login to different services on *.org-domain.tld.

    While that may be true for some domains - that there are different services on each subdomain that use separate credentials, that certainly isn't universally the case and there is no good way for us to separate one scenario from the other.

    But does having several SAME login/password pair entries in 1p is worse than having all other customers with my scenario to cycle through the list of useless logins every time they need to login to anythingelse.domain.tld?

    We respectfully disagree in this case. While I can absolutely see an argument that the Login with the closest matching URL should be at the top of the list (and it should), I cannot see not offering people their login credentials when those credentials are valid anywhere on *.domain.tld.

    Ben

  • blappy
    blappy
    Community Member

    Want to tag on and add a +1 for some sort of answer to this request. Here's a very common scenario:

    I have a large number of company-related services that get bundled up under our branded domain. So, for example mail.domain.com is a webmail, support.domain.com is a support forum, abc.domain.com is a management console, etc. These are all separate hosted services with separate credentials that just have the domain name attached, and which are otherwise unrelated (and which do not share logins).

    That is somewhat managed by your closest-match response above, but then add this mess of sometimes overlapping credentials:

    Login A (user1/abcde) must be changed every 90 days
    abc.00.domain.com
    bb.domain.com
    bb.domain.com/otherservice
    c.domain.com
    mail.domain.com

    Login B (user1@domain.com/abcde) password gets changed every 90 days in sync with user1 above, but has different username format
    def.00.domain.com
    thing.domain.com
    domain.com:1234/lemons/
    tester.domain.com/version1
    support.domain.com
    abc.domain.com

    Login C (admin/admin) doesn't change
    dev.01.domain.com
    tester.domain.com/version1
    tester.domain.com/version8

    Login D (testuser/testpassword) doesn't change
    tester.domain.com/version1
    tester.domain.com/version3

    Some of these URLs are just not memorable, and to boot are similar to other URLs with different credentials. So looking at a list doesn't do much good.

    Right now these all end up as separate entries and it's just... a mess.

    Add to that that a whole bunch of these have to be changed in sync regularly, and it becomes quite frustrating that despite using a password manager I still have to manually mess with these all the time.

    Obviously this is a lot for a normal user, so just allowing a (hidden) advanced setting that gives me exact matching only, plus a wildcard character and exclusion would let me deal with this mess. This is a very common occurrence in every job I've had, and even somewhat in my personal life.

    Anyway, completely understand not overtaxing the UI for the casual user, but some way to address this for those of us that go looking would be a huge huge benefit.

  • @blappy

    It seems being able to specify a different username for each website field on a login item might help in that case? Would you agree? That way at least Login A and Login B could be combined.

    Ben

  • blappy
    blappy
    Community Member

    It would certainly help to be able to bundle multiple usernames to a single password, yeah.

  • Thanks for confirming. :+1: I'll mention that in brainstorming on these issues.

    Ben

  • sfxn
    sfxn
    Community Member
    edited April 2020

    I can see your point in deciding against that feature request as it might be no mainstream feature.
    But I have a very similar problem as @blappy and @ast23756 mentioned before in our corporate setup where we have two ActiveDirectory/LDAP systems as well as several other authentication mechanisms, sometimes 4 different stages for one system where I have several test accounts per stage.
    And especially in corporate setups a strict (sub) domain matching either as option per entry or as a global switch would help remarkably. Our servers all follow the pattern host.sub-a.sub-b.domain.tld and typically the one entry I need is the fourth or fifth of the suggestion list despite the fact that the fifth entry has a website entry matching 100% and the other entries only match with domain.tld

    So for the moment I expect that feature request as declined but maybe you can think about it anytime in the future.

    Regards
    Bastian

  • snowdog1
    snowdog1
    Community Member

    I have to agree with others requesting some sort of enhancements here. My company is using multiple services with subdomains and different logins. It's a total mess now, when trying to figure out the one that matches visited service. We made some workaround with custom usernames (new problem, how to remember them all) but it does not work in quick login scenarios, where username is not displayed...
    I understand that non-tech users never needs any option to make matching more strict but 1password is also a tool of choice for multiple tech companies (paying thousands $$$ in licensing fees), making their life easier in most cases, except this one... We really need some sort of customization here.

  • Thanks for the feedback here folks. SSO handling is definitely still an area in which we'd like to improve, regardless of any sort of subdomain matching preference. Additionally, if you represent a company utilizing 1Password in such a scenario, please reach out to your contact on our business team so that they can advocate for improvements from their end as well.

    Ben

  • jmorby
    jmorby
    Community Member

    Can I ask that you re-visit this as it is broken ... we have hundreds of servers, all in my domain .. all with different logins and passwords (yes SSO would be nice, but it's not an option) and we need different logins / passwords for security to avoid one password being compromised and all servers being compromised.

    If I go to

    scm.mydomain.com
    www.mydomain.com
    fred.mydomain.com
    blah.mydomain.com

    1Password keeps trying to update the logins for my email account (mail.mydomain.com) or something other than the actual server I'm connected to. It's becoming a real pain in the proverbial

    It's getting to the point where I'm just going to recommend my company ditches 1password completely as it is becoming more of a hindrance than anything with this brain dead functionality :(

  • Hi @jmorby,

    I can understand how it would be a hinderance in that environment, and I'm sorry to hear that's the case for you. At this point, we do not have plans to change this. That isn't to say we couldn't make such plans at some point in the future, but I want to be as up front as I can about realistic expectations here. I wouldn't anticipate a change to this behavior in the near future.

    That said, I'd encourage you to reach out to your account rep (or our business team, if you aren't sure who that is): business@1password.com. They'd be in the best position to advocate for business-oriented use cases.

    Ben

  • jmorby
    jmorby
    Community Member

    What gets me is you seem to have the functionality in place for domains such as wordpress.com

    Why not expose this to your customers so we can simply list any domains which we want uber strict matching on?

  • @jmorby

    The situation you're describing with Wordpress comes from the public suffix list:

    Public Suffix List

    We do not have direct control of that list, but my understanding is that they do accept submissions that meet their criteria. If your domain is a public suffix then you may want to consider seeing about having it added.

    Ben

  • ormapa
    ormapa
    Community Member

    I agree with others requesting this feature. We're currently evaluating some passwords managers. We like 1password a lot but a better URL matching it's a must since we manage a lot of subdomains. At least we expect a smart ordering showing first the best "matches" as Keeper does. Without this 1Password is unsuable for us.

  • @ormapa

    At least we expect a smart ordering showing first the best "matches"

    We do already do that. Items marked as favorites will be listed first, and then the closest match based on URL. If that isn't working it would help to know:

    1. The URL you're visiting in your browser
    2. Each of the items returned, in the order they are returned, along with each of the website fields saved on those items, and if any of the items are marked as favorites

    If you'd rather send that information by email, please send it to support+forum@1password.com and then post the support ID you get from the autoresponder here. Thanks!

    Ben

  • ormapa
    ormapa
    Community Member

    Hi Ben, thank you for your response.

    I can’t understand the suggestion order. Can you explain how it works in detail.

    Our situation is that we deal we dozens of entries in the same domain that are differents sites:

    www.domain.com
    www.domain.com/path
    www.domain.com/path/whatever
    sub1.domain.com
    sub1.domain.com/path
    sub1.domain.com/path/whatever
    sub2.domain.com
    sub2.domain.com/path

    When we navigate to sub1.domain.com/path1/whatever/xyz we expect to get suggestions in this order

    sub1.domain.com/path/whatever (same subdomainm, same beginig begining)
    www.domain.com/path/whatever (diferent subdomain,same beginig begining)
    sub1.domain.com/path (same subdomain, same begining path)
    www.domain.com/path (diferent subdomain, same begining path)
    sub1.domain.com (same subdomain)
    www.domain.com

    We accept that it’s debatable if www.domain.com/path/whatever should appear before sub1.domain.com/path, but it’s seems that there’s no logic order. We have tested on 1passwordX and 1password extensions and most of the suggestions appear in alphabetical order.

    All in all, this type of scenarios would make necessary to have the option to adjust the URL patterns like lastpass or bitwarden do.

  • we expect to get suggestions in this order

    I would tend to agree, with the exception of any items being marked as favorites being listed first. Would you be able to send us some specific examples of instances where this isn't working as expected? It would be helpful to know:

    • The URL you're visiting in your browser
    • The URLs saved in the website fields on each of the results listed, in the order the results are listed

    If you'd rather email those details our email contact info is above. :)

    Thanks!

    Ben

  • Botts
    Botts
    Community Member

    Thanks for looking into this, just wanted to add, that for those of us handling multiple hosts in a site, it would be nice if subdomain matching could be forced or prioritized. For advanced users, it would be great if we could use wildcards for the entries.

    I use hostname.site.domain.com, and when I use the browser extension, it'll list all of the logins for that domain.

    For most sites, I really like that adding domain.com works for all subdomains. But I could easily add *.domain.com to the URL list.

  • Thanks for the feedback @Botts. I understand wildcard matching would be a solution for those who are technically inclined enough to understand it, but as we move toward supporting a broader audience we're going to be in less of a position to support things like that. I never want to have to explain string matching with wildcards to my mom in order for her to have 1Password work the she is accustom to it working.

    Ben

This discussion has been closed.