Forum Discussion

Former Member's avatar
Former Member
3 years ago

Subdomain sensitive autocomplete suggestion in browser extensions (c'mon it is now 2022!)

I know this has been requested several times here but I'd like to add the request now again in 2022. It is a mess that the browser extension still can't suggest subdomain sensitive items. In the ...
browser extension
Former Member's avatar
Former Member
3 years ago

In the end we have to conclude that the browser extension is unusable if you got hundreds of logins under the same root domain with different subdomains.
The autofill doesn't help at all and we stopped using it since out of a list of >100 entries it is impossible to pick the right one.

An absolute deal breaker for 1Password in general.

And I'm sorry this major usage bug is open since 2017. This is absolute nuts. For one of the most expensive password managers out there this is really crazy and embarrassing. (considering the funding you get)

And just for your info the explanation from 2017 is well known (https://1password.community/discussion/comment/348474#Comment_348474) but this can't still be the reason for driving 1password unusable. Just store the login items hashes of the root AND subdomain (a.b.de -> HASH, b.de -> HASH) and it would be no problem to suggest the correct login items in the correct and usable order. (since the browser extension can generate hashes for the current domain on the fly)

Implementation suggestion:

Map not encrypted:

HASH for a.de -> Login Item A
HASH for b.a.de -> Login Item A

Browser extension:

Current website (b.a.de)

-> Generate hash for "a.de" and generate hash for "b.a.de" and look into the unencrypted map.

Et voila you can suggest both items without even a single need of decrypting it beforehand. It is as simpel as that.

This is not some kind of micro bug this is a major flaw since it drives the browsers autofill unusable. And guess what employees started to activate Chromes password manager to save the passwords due to this major usability flaw. (since the autofill of chrome just works perfectly...)

And this makes it a major security bug!

I'm really angry that this one gets ignored now for more than half a decade.

Just embarrassing.

PS: For private use this is not a problem since you normally don't have multiple login items for the same domain. But for business usage especially in the field of web development agencies it is an absolute mess. All the login items are cleanly separated by subdomain but get all suggested at once.