search

apple / password-manager-resources

A place for creators and users of password managers to collaborate on resources to make password management better.
MIT License
4.15k stars 448 forks source link

Format change suggestion for quirks: add unrelated domains that may be assumed to be related #590

Open igor-makarov opened 2 years ago

igor-makarov commented 2 years ago

TL;DR: Sometimes enterprise IT has software that isn't part of their SSO. This causes endless confusion both for users and password managers.

Real life example: Tel Aviv University has the following websites sharing SSO credentials:

However, they also have a different subdomain for payroll, ihilanet.tau.ac.il which is run by an outside contractor, a big co with their own identity management system.

Safari, and probably other password managers, assume that these websites are related based on domain suffix and suggests more than one password. It's displayed like so:

Screen Shot 2022-02-18 at 20 19 04

The "from this website" gives me a hint that there's a distinction between an exact subdomain match and a password saved from another domain. But for this website, suggesting these other sites amounts to password reuse: this subdomain has a separate credential backend.

So in summary, my suggestion is to add a new rule type to the quirks - to allow to specify a subdomain to be definitively unrelated to another domain or subdomain.

I'm not sure as to how to properly represent a "non-equal" relation type, but here's an attempt at a syntax:

    {
        "from": [
            "*.tau.ac.il"
        ],
        "unrelatedTo": [
            "ihilanet.tau.ac.il"
        ]
    },
igor-makarov commented 2 years ago

@rmondello what do you think?

P.S. I've noticed that Swift subdomains are also like this: