[Regression] 1Password suggesting passwords from wrong subdomain

Chaos215bar2
Chaos215bar2
Community Member
edited February 2020 in Mac

I manage a domain with quite a few devices on separate subdomains, and use 1Password as a means to easily create and enter unique admin passwords for each.

Let's say I have two hosted at rtr.example.com and datastation.example.com. For each, I'll create an entry in 1Password, enter its domain (only the domain) under the "website" field, generate passwords, and go from there. If I want to login to rtr.example.com, I'll then just visit its admin page in Safari, activate 1Password, and its entry will then be at the top of the suggestions. If I then go to datastation.example.com and do the same, it should now be at the top of the suggestions, and indeed until recently that's what happened.

Now, if I login to rtr.example.com first, its credentials will persist at the top of the suggestions list for any website I visit hosted on a subdomain of example.com for some indeterminate time. If I then try to login to datastation.example.com, its entry will appear quite far down the list of suggestions. (There are a lot of passwords under the domain, and they seem to be unsorted aside from the first suggestion, which is now stuck as rtr.example.com.) If I instead login to datastation.example.com first, its credentials now become stuck at the top of the suggestions for any subdomain under example.com, and I'll have to search manually when I try to login to rtr.example.com.

This is very annoying behavior, and has changed recently. It used to be that the first suggestion when entering the password on any page always matched the full domain of that page. (i.e. An entry for example.com would always be near the top of the suggestions for anything under example.com, but, for instance, rtr.example.com would never appear as a suggestion outside of the rtr.example.com subdomain.) I hope I'm just missing a setting to disable this behavior, but it actually reduces the security of 1Password.

Because of this, 1Password may currently offer as a first suggestion a password which does not match the full domain of the page being viewed. Though rare, it's not impossible that this will be a website controlled by a different entity entirely. (Technically that's exactly what's happening in my example, though the security impact of accidentally entering the password for one device into another that I also manage is, at least, fairly low.)


1Password Version: 7.4.2
Extension Version: 7.4.2
OS Version: 10.15.2
Sync Type: Not Provided
Referrer: forum-search:subdomain

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @Chaos215bar2! Welcome to the forum!

    For each, I'll create an entry in 1Password, enter its domain (only the domain) under the "website" field, generate passwords, and go from there.

    Are things working the way you want if you enter the subdomain as well, instead of only the domain?

  • Chaos215bar2
    Chaos215bar2
    Community Member

    Each entry contains the full subdomain.

  • ag_ana
    ag_ana
    1Password Alumni
    edited April 2020

    @Chaos215bar2:

    Thank you for the confirmation! I have let our developers know about this :+1:

    ref: dev/apple/issues#1504

  • Chaos215bar2
    Chaos215bar2
    Community Member

    Thanks!

    @ag_ana, if there's any way I can follow the ticket you referenced, I would be very interested.

  • @Chaos215bar2

    Our issue tracker is private, sorry. :( But you're welcome to request status updates here on occasion. We may not be able to say much, but if a change is included in a beta or stable build we can let you know that.

    Ben

  • mkopit
    mkopit
    Community Member

    Any update @Chaos215bar2 ? Have you been able to replicate the problem? I'm seeing the same behavior.

  • ag_ana
    ag_ana
    1Password Alumni

    @mkopit:

    We have no updates to share since two weeks ago, sorry!

  • mkopit
    mkopit
    Community Member

    Anything new to report? It's been a few months and the issue persists.

  • ag_ana
    ag_ana
    1Password Alumni

    @mkopit:

    Nothing else to report at the moment, sorry! Please keep an eye out on the release notes however: whenever we implement a fix, we will mention it there :+1:

  • jholtzman
    jholtzman
    Community Member

    I have a related problem. My employer has two different login systems. One is for general access, one for access to more restricted systems (hospital and medical school). The general access system is accessed through weblogin.umich.edu, the other is weblogin.med.umich.edu. We are redirected through both systems countless times per day, depending on which resource we are trying to access. 1P always tries to use the credentials for the less restricted login. It is quite annoying to have to type passwords manually, kind of defeats the purpose. Please prioritize and fix this bug!

  • Thanks for sharing your perspective, @jholtzman.

    Ben

  • Mitchel
    Mitchel
    Community Member

    I have the same issue, subdomain.domain.com shows logins from anothersubdomain.domain.com.

    Btw, I switched a few times from my browser tabs and the first 3 times it looks like it shows all login from the same domain, and now it is showing the correct logins for the subdomain + domain.

    I see you guys are saying, "oke we will tell the developers", but are you able to reproduce this issue? Because it looks like it does not has the same behavior every time, so it is hard to reproduce.

    I hope my explanation will help!

  • @Mitchel,

    I have the same issue, subdomain.domain.com shows logins from anothersubdomain.domain.com.

    My apologies for any confusion: that's intentional. It is supposed to work that way. :) 1Password matches based on the domain. Subdomains are used for sorting, but do not exclude logins from being suggested. The issue the OP was having is that 1Password should be suggesting the closest match first (with the exception of favorites, which are always sorted above other items), and that was not happening. We hope to have that fixed up soon.

    Ben

This discussion has been closed.