Reused Passwords Report - custom equivalent domains

I have Custom Equivalent Domains configured for specific domains not in the global list. The issue I am facing is that when I run Reused Passwords Report tool it will report reused password warning for domains that are configured as equivalent. In my opinion this should not work like that. What are your thoughts on the matter?

  • caracalla

Somebody has already asked about this here but received no answer.

Basically, I have set up two domains as equivalent (codecanyon_net and envato_com). In the generated reused passwords report, they still show as “reused”.

This is wrong and it needs to be fixed.

Global equivalent domains are used when one set of login credentials work for logging in on websites that have different domains. The purpose of defining two or more domains as equivalent is so that you will be able to use a single login item in the vault for logging in to all of the equivalent domains. Being able to use a single domain for all of the equivalent domain logins is a benefit, because it reduces the risk of forgetting to update the information in all related login items when you changing the password for any one of those sites. Another benefit is that if you have more than one account on a set of websites that are equivalent, autofilling will work as it is designed only if you maintain a single vault item for each account (e.g., if you have a work account and a personal account that you use one 4 websites that are equivalent, you’d have to cycle through 8 sets of credentials if you maintain a separate vault item for each website, whereas you only select from 2 sets of credentials if you only have one vault item per account).

So my point is, the Reused Passwords report is working as it should: it is warning you that your vault contains redundant login items, which can only lead to trouble. You should delete all of the redundant vault items, and keep only a single login item for each account.

Thanks for the detailed explanation :slight_smile:

I am coming from LastPass where equivalent domains work slightly different.

I deleted the duplicate passwords and BitWarden is able to show login details for all equivalent domains using just one login datum.

Cheers.

1 Like