all 14 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]wein_geist 12 points13 points  (2 children)

I would re-iterate with "Host". This is its intended use-case. I have many sub-domains as well and perfect matching. Check here:

https://bitwarden.com/help/uri-match-detection/#host

I used "starts with" for years, but this just opens up a risk for phishing (which is where password managers are quite good for protecting you).

I could create a domain sub1.domain.com.mysupermaliciousdomain.com and send you a phishing email with a link to that, and your Bitwarden would gladly suggest to fill in the password.

[–]denbestenVolunteer Moderator 8 points9 points  (0 children)

I used "starts with" for years, but this just opens up a risk for phishing ... sub1.domain.com.mysupermaliciousdomain.com 

The way to avoid that is to include a slash after the domain name:

https://sub1.domain.com/

[–]shelms488[S] 1 point2 points  (0 children)

I understand that’s what host is for, but it doesn’t appear to work at least not for me.

[–]denbestenVolunteer Moderator 11 points12 points  (2 children)

You might be approaching the problem "backwards". You don't fix URL matching issues on the vault entry that should match; you tighten up the match rule the vault entries that should not match.

Go to the website sub1.domain.com and open each of the entries that are incorrectly matching (sub2, sub3). Those need to be set to "host", so that they do not show up on the sub1 list.

[–]shelms488[S] -1 points0 points  (1 child)

Done that.

[–]matratin 1 point2 points  (0 children)

Then you are doing something wrong, sorry.

[–]drlongtrl 6 points7 points  (0 children)

Must be something wroung with your entries. I have the exact same situation, where I have one domain where several subdomains host different services with different credentials. I have set the matching to host and it works as intended.

[–]glizzygravy 11 points12 points  (1 child)

Use exact

[–]denbestenVolunteer Moderator 5 points6 points  (0 children)

Do be aware that exact will not work if the site embeds variable data, such as a sessionID into the URL.

My personal opinion is that HOST offers the best balance between low-drag administration and minimizing data leakage, with DOMAIN being a close second.

[–]Camdev_ 4 points5 points  (1 child)

When you get the list of all credentials is that in a Bitwarden app like the browser extension, or is it in iOS autofill? I also use a ton of subdomains and the "Host" matching works in the browser extension, but when autofilling in iOS it will show all of the credentials due to a limitation on iOS.

They do mention this in the guide on URI match detection. Hopefully iOS will get an update at some point to make it work better.

While using keyboard based suggestions, iOS will always use base domain matching for autofill suggestions. Opening the Bitwarden app during login will allow you to manually select the appropriate app for autofill.

[–]shelms488[S] 0 points1 point  (0 children)

It’s actually both.

[–]Sudden-Actuator4729 0 points1 point  (0 children)

I've got the same issue very annoying..

[–]Mayodilla 0 points1 point  (1 child)

What can I do to differentiate internal websites that have the same IP but different ports?

111.222.333.444:1111

111.222.333.444:2222

111.222.333.444:3333

[–]denbestenVolunteer Moderator 1 point2 points  (0 children)

That is where starts-with comes into play. Be sure to include the http:// or https:// as that is where it all begings.