Reused passwords report

Most of our importers will import unmapped fields into custom-fields (including the RoboFormImporter). Maybe there was something related to password history that got imported into a custom field.

I unfortunately haven’t got an example export from RoboForm at hand, to see which fields it might be. Would be good to know, to either map or skip them in the future.

Does cleaning the custom fields, change the output of the Reused Password Report?

This definitely sounds like an overhang from the RoboForm import in the past. If you’re cleaning these entries up as you find them, I’d expect to see the issue completely disappear over time. I doubt you’ll have any further occurrences. The only time a custom field is automatically created is during an import.

OK, but back to my original issue, would these old custom filed entries be the reason why my Reused Passwords report says many accounts currently have reused passwords that do not?

I had a quick look at the source code for the report, and it only checks for the password-field.

If you are positive you don’t have any duplicates or actual re-used password, then thet shouldn’t turn up in the report.

Are you possibly part of an organization (families, teams, enterprise)? The organization report retrieves all ciphers of the organizations and compares them. Possible the duplicates are not coming from your individual vault, but from an organization vault.

Figured it out. After changing all the accounts that were confirmed as sharing a password, I was left with a list of maybe 20 accounts. Then I noticed a pattern in the remaining accounts. Each was part of a “pair” related to a single service - there are two “variations” that use the same password. Examples are:

Protonmail and Proton VPN
Wall St Journal and WSJ+
Paypal and Xoom (a paypal service)

So now my question is…is there a way to configure BW so it doesn’t flag these “sibling” accounts that share the same password as reused? The alternative would be to delete one,but this doesn’t seem an ideal solution.

Maybe BW could add a tickbox within an account record to indicate it has a sibling account and therefore it doesn’t get counted as reused?

Glad you figured it out!

Since the same services use the same password, just create a single entry for each and use it. You can have multiple URLs for each item. I would simply create the below entries.

Proton
WSJ
Paypal/Xoom

OK, so just add the second account URL to the first one and done?

It’s what I would do, unless someone has a better suggestion.

I think my follow up Q would be - if you’re relying on a single BW entry, how will BW know which URL to go to if the one you want is not the “primary” URL?

1 Like

Thanks - I have not familiarized myself with this functionality but guess it’s time to…I added the Xoom URL to the Paypal entry and they both "resolve to www.paypal.com

If this is the case, does it even make sense to have the second URL?

Probably not, but for the others… add the necessary URLs and then log in to test them. Sometimes it’s a little trial and error. Good luck.

You could also go to the “Domain Rules” section in the Account Settings of your Web Vault, where you will be able to define “Custom Equivalent Domains”.

1 Like

where do you access Domain rules? I don’t see it.

Log in to the web vault, click on the profile icon in the top right corner, then select Account Settings:

The you will see “Domain Rules” in the left-hand navigation menu.

Welcome to the community,

that was a great start! :+1:

1 Like

I’m not finding a lot to explain what this does thats better than what Moonpup suggested. Can you point me to where its explained or give me the 25 cent explanation of it?

It’s not necessarily “better”, it’s just an alternative approach to achieve the same goal. There may be some subtle differences between the two methods that would make one better than the other in some scenarios, but it’s too early in the morning so I can’t think of any examples off the top of my head right now…

Edited to Add: One difference is the the domain rules only work for matching on Base domain, so if you have a need for setting the URI match detection options to anything else, then you should use the method of adding multiple URLs to the login item (and to answer your question about which of the URLs Bitwarden will go to when you use the “Launch” button, it is always the top entry).

A post was merged into an existing topic: Reused Passwords Report - custom equivalent domains