Exclude passwords from certain sites

Feature name

  • Enter the name/concept of the feature being requested
    I’d like the option similar to fill and remember which will add include a domain in a specific password, but the opposite. I work for a government agency and all state agency sites end with “.ca.gov” so BitWarden thinks every site is the same site, this means that with multiple options for auto-fill, the auto-fill doesn’t work. I’d like the ability to click the drop down and tell BitWarden to not ever match x password with y site. it seems like this change would make things better for countries like the UK too…

Have you tried editing the detection scheme? Using URIs | Bitwarden Help & Support

2 Likes

I could change the system to exact match, but there are tons of websites that handle logins in overlays or any number of other things that make that a poor option. Being able to say, “Hey, don’t use this password on this site is way more straightforward.”

If you just change your default detection to host rather than domain, Bitwarden will not confuse multiple sites/logins within the same base domain. But if you have already stored logins, you may have to go back in and change those.

2 Likes

thanks for the awesome information.

Good to know. I think it would be very helpful if that section in options had some explanation/example of the differences between the detection methods.

Hi Tre - that section on Match Detection Options is literally filled with explanation and examples. What more were you thinking should be added, specifically?

Where? I see nothing in the browser extension, nothing in the Android app, and not even a mention of matching on the website directly.

Edit: when into to an individual entry on the website i see a little ? Icon that does have exactly what I was looking for, but that info should be linked from both the app and extensions as that’s how most folks will be interacting with it.

I am speaking about the help documentation that @Davidz mentioned in the first reply to your original post:

https://bitwarden.com/help/article/uri-match-detection

Also, after looking through that page, I still think simply being able to blacklist a URl per entry would be the easiest solution to this. But thanks for your help.

Hi Tre - the NEVER match option is a blacklist for the item. But it must be a complete URI (not a domain or host name).

Have you tried my suggestion to change your default match detection to host instead of domain? You will also have to update existing entries, but if you do, then BW won’t confuse hosts on the same domain (i.e., URIs on different subdomains).

I believe the software will do what you need it to, but perhaps not the way that you originally envisioned. Let us know if we can help in any way!

If that’s your example, you’re not understanding what I’m asking for. I don’t want to set any passwords to never match. But I would like to set a password to never match with this URl, the inverse of the “Fill and save” option.

But really I think the main issue is that the default detection scheme doesn’t understand that, for example, in the URl www.dmv.ca.gov, “.ca.gov” is a TLD and instead thinks .ca is the SLD, meaning that ‘www dmv ca gov’ and ‘www dot ca gov’ and ‘www edd ca gov’ and www.jobs.ca.gov all match the same passwords (sorry I’m getting an error that I can only post two links per post so I have to misformat the URl).

But whatever man, I’m just trying to improve the product for future users at this point, you have shown me the work around, but seem to be resistant to addressing the problem directly. What I’m asking for is much more straightforward for the user than having my same issue and having to come here to search/ask the same question.

Hi @Tre916 - David is a very active community member and was simply trying to help clarify what options there are currently.

Thanks for your request - this helps us understand more use-cases.

Another option you could try is the ‘starts with’ URI match, if it’s the first part of the domains that differ :slight_smile:

Tre, I am trying hard to help here. I work in education, and I have multiple logins across multiple hosts and sub-domains, and I run into this all the time.

I strongly urge you to create a separate Bitwarden vault entry for every login that you have. Then add the matching URIs afterwards. Carefully choose the URI matching rules to distinguish the hosts. Do NOT use domain matching rules (they can’t tell any of those hostnames apart). My point is that you DO NOT HAVE TO ACCEPT THE DEFAULT DETECTION SCHEME! Create a detection rule that distinguishes your login endpoints. I really don’t know how to make this any clearer.

Seriously, if you want me to provide examples using the hostnames you provided above, I can do that.

1 Like

Like I said, I am fine now. But this process cannot be how a user is expected to deal with this issue: forcing people to come here, post a request, have a conversation over the course of a week, and then be required to learn and juggle detection schemes.

A simple option when there are multiple login matches for one site that says something like, “Never match this login with this site” is something that everyone can comprehend at face value. This is why I stand by my request.

I am still confused why you are unwilling to use the existing features of Bitwarden, which are more than adequate to solve your problems. The help documentation clearly demonstrates how to overcome all of your complaints, if you just take the time to learn. Instead you bemoan the software and the community trying hard to help you? :confused:

I am trying my best not to be combative, man. I really am. But twice now I have said, MY PROBLEM IS SOLVED. Changing the default match to host, seems to have fixed it.

But while the functionality is there, as you pointed out in your screenshot (now that I see the screenshot I understand what you were trying to say before, making my point that…), IT IS NOT INTUITIVE. Having to add this URl and then tell it to match never, is not how people think, but it is what I was trying to do. There should be an option below been “auto-fill and save” that does this, for the same reason that the auto-fill and save option exists, or do you think that should be removed and everyone should “just take the time to learn”?

Nobody is bemoaning the community, I am simply stating that most people are not even going to turn to the community for answers nor look to the documentation, they’re just going to go back to LastPass. I work in IT, directly with users, it is my job to do this; interact with the community/support as I am doing now, on behalf of those who won’t or don’t even know they can.