Hey guys,
I thought of a feature that would help clean up login entries and increase user safety.
It would be nice to have logins consistently displayed and deduplicated, when different websites use the same credentials database. So, it would be nice to have a web service or API integrated into BW that facilitates tracking domains that share the same login databases, and provides a better title for the saved entries in Bitwarden, so that, if a user visits a new site that uses the same db as a site they already use, they don’t accidentally make a new user profile because they think someone has already used their username, and they don’t have to manually add the URL to the existing Bitwarden data. It would also be nice to see a consistent favicon for these deduplicated entries. In addition, this feature will help users identify scam websites much faster.
Multiple domains for same web service
For example, today I tried logging in on the Zoom mobile app, and it suggested a login matching the usual https://zoom.us URL (where people login on the website), but when I went to add a new login in the app, it populated the URL field with https://zoomgov.com. Mobile apps often use a different URL from the website login. The zoom.us entry was labeled something like “us4 zoom.us” automatically, while the zoomgov.com entry was labeled something like “zoom gov”. On first glance it isn’t apparent that those are the same services, since their URLs differ, and their titles differ.
Same goes for RIOT games and League of Legends. When you make an account with them, the auto-save feature records the account with the https://auth.riotgames.com URL and a corresponding icon, but when you login to a League of Legends account online, you’re facing https://na.leagueoflegends.com, so BW doesn’t suggest the auth.riotgames.com entries. Adding a second URL to the password entry comes with a cost: because of how BW works, it shows the favicon of the first entry in the URLs list and the URL list cannot be reordered when you add a new URL, so to change the favicon, you have to delete the old URL and add it again. To make the BW entries consistent, it takes some work, which could have been easier, and ultimately could have been automated by a service.
Domains change over time
Another example is when a website updates its URL or sells its business to another company. Earlier this year, Radius Bank sold out to LendingClub, and their new URL became https://bank.lendingclub.com . If the website hadn’t explained that this would happen in email, or if the user blocks those emails, or was out of the country for a year on some kind of remote, isolated trip, then they might miss the transition. Websites usually forward users to the new URL from the old one, but eventually they get rid of the forwarding. This is a problem for users, when they haven’t visited a website in a long time (emuparadise.org for example, or some random forum) and their memories decay, or if the site moves to a new URL that is similar, but the user doesn’t pick up on it because it was a subtle change, or if they move to a completely different name, and there are no hints. For example, TikTok used to be hosted on Musical.ly, and I am sure a lot of people who made musical.ly accounts didn’t notice the change and thought they were signing up for a new service called TikTok a few years later when it became popular.
Multiple domains for same web service but different client portals
Some websites provide their login and profile databases as a service to other front-end sites that have different domains. For example, if Discover.com makes a new banking app but doesn’t want it hosted under the Discover domain, users would login to the new site using their Discover credentials. This practice is pretty common for some websites, like adult dating websites, like https://fling.com and https://adultfriendfinder.com .
Other password vaults may have implemented this already.