How does Bitwarden determine which user/pass to use for a site?

I have a question regarding how Bitwarden determines which user/pass to use for a site. I know that it uses some setting named “Default URI match detection” which defaults to “Base domain”. So, a user/pass saved for a site subdomain1.domain.com will be suggested for subdomain2.domain.com as well. Also, I can use a different match detection (e.g. host, exact, etc). All that works perfectly.

But recently I have seen something that caught me off-guard. I manually saved a password for bitbucket.org. Then I went to sign into bitbucket.org by visiting the url id.atlassian.com/login exactly (no query parameters). I was then surprised to see that bitwarden was using the user/pass I saved for bitbucket.org on id.atlassian.net/login.

Question: how does bitwarden know that bitbucket belongs to atlassian, or does it? If it doesn’t, why does it suggest my bitbucket user/pass on id.atlassian.net?

Not that I am complaining or something, not at all. I am just surprised to see bitwarden handle it so intelligently. So want to know how it does it. TIA.

1 Like

Hello @suhail and welcome to the community,

You are correct that Bitwarden will use the URI for match detection, and by default is set to base domain matching.

I believe regarding your question though this may be due to the equivalent domains feature of Bitwarden. There is a list in the web-vault that can also be customized which will include known sites that would have the same login.

For example, setting turbotax.com and intuit.com as equivalent means that a vault item with turbotax.com saved as a URI will also be offered for auto-fill at intuit.com.

Hope that info helps :slightly_smiling_face:

1 Like

As Kent mentioned, the matching that you were surprised by occurred because Bitwarden has as set of Domain Rules that identifies “equivalent” domains (because the same set of login credentials can be used at any of the equivalent domains). In your case, the following domains have been identified as being equivalent:

atlassian.com, 
bitbucket.org, 
trello.com, 
statuspage.io, 
atlassian.net, 
jira.com

 

You can find the current list of such domain rules (and even customize the list of equivalent domains to fit your needs) by logging in to the Web Vault, clicking on your profile icon (top right) and selecting Account Settings. From there, use the navigation links on the left to go to Domain Rules:

image

3 Likes