[Regression] 1Password suggesting passwords from wrong subdomain

edited February 16 in Mac

I manage a domain with quite a few devices on separate subdomains, and use 1Password as a means to easily create and enter unique admin passwords for each.

Let's say I have two hosted at rtr.example.com and datastation.example.com. For each, I'll create an entry in 1Password, enter its domain (only the domain) under the "website" field, generate passwords, and go from there. If I want to login to rtr.example.com, I'll then just visit its admin page in Safari, activate 1Password, and its entry will then be at the top of the suggestions. If I then go to datastation.example.com and do the same, it should now be at the top of the suggestions, and indeed until recently that's what happened.

Now, if I login to rtr.example.com first, its credentials will persist at the top of the suggestions list for any website I visit hosted on a subdomain of example.com for some indeterminate time. If I then try to login to datastation.example.com, its entry will appear quite far down the list of suggestions. (There are a lot of passwords under the domain, and they seem to be unsorted aside from the first suggestion, which is now stuck as rtr.example.com.) If I instead login to datastation.example.com first, its credentials now become stuck at the top of the suggestions for any subdomain under example.com, and I'll have to search manually when I try to login to rtr.example.com.

This is very annoying behavior, and has changed recently. It used to be that the first suggestion when entering the password on any page always matched the full domain of that page. (i.e. An entry for example.com would always be near the top of the suggestions for anything under example.com, but, for instance, rtr.example.com would never appear as a suggestion outside of the rtr.example.com subdomain.) I hope I'm just missing a setting to disable this behavior, but it actually reduces the security of 1Password.

Because of this, 1Password may currently offer as a first suggestion a password which does not match the full domain of the page being viewed. Though rare, it's not impossible that this will be a website controlled by a different entity entirely. (Technically that's exactly what's happening in my example, though the security impact of accidentally entering the password for one device into another that I also manage is, at least, fairly low.)


1Password Version: 7.4.2
Extension Version: 7.4.2
OS Version: 10.15.2
Sync Type: Not Provided
Referrer: forum-search:subdomain

Comments

  • ag_anaag_ana

    Team Member

    Hi @Chaos215bar2! Welcome to the forum!

    For each, I'll create an entry in 1Password, enter its domain (only the domain) under the "website" field, generate passwords, and go from there.

    Are things working the way you want if you enter the subdomain as well, instead of only the domain?

  • Each entry contains the full subdomain.

  • ag_anaag_ana

    Team Member
    edited 2:07PM

    @Chaos215bar2:

    Thank you for the confirmation! I have let our developers know about this :+1:

    ref: dev/apple/issues#1504

  • Thanks!

    @ag_ana, if there's any way I can follow the ticket you referenced, I would be very interested.

  • BenBen AWS Team

    Team Member

    @Chaos215bar2

    Our issue tracker is private, sorry. :( But you're welcome to request status updates here on occasion. We may not be able to say much, but if a change is included in a beta or stable build we can let you know that.

    Ben

  • Any update @Chaos215bar2 ? Have you been able to replicate the problem? I'm seeing the same behavior.

  • ag_anaag_ana

    Team Member

    @mkopit:

    We have no updates to share since two weeks ago, sorry!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file