I have a number of domain names, and some of those domains names are split with sub-domains. For example, https://linux.uk and https://forum.linux.uk. Now obviously (!) these are two completely different sites, one is running Wordpress and the other Discourse. (two completely different applications)
You will be both shocked and horrified to hear that I don’t use the same credentials on both, or at least I use the same username (email address) but choose completely separate passwords. Typically I let the browser pick a completely random long string of characters, then rely on the browser password manager to save them for me.
All cool, except for one thing. Chrome seems to have a feature called affiliated websites where for some inexplicable reason, it thinks you want to share a single password across multiple boxes. So when you save a password for a sub-domain site, and you already have a password for the main domain, depending on which way the wind is blowing, Chrome will store the same username (email address) and password, against multiple hosts.
Why is this bad?
When you change the password on one site, it will offer to save the new password. If you say yes, it will re-store the one entry that covers the other sites, so you will effectively lose the password for the other sites where you are using the same login id / email address (!)
Now for me, my mail server is also on the same domain, so when it happened to me, yes it saved my website password, but then it wiped my password for email and two other servers. (password resets aren’t fun when you can’t access your mail server … )
Disabling the “feature”
I feel like writing something along the lines of what on earth were they thinking but I think for anyone experiencing the problem, it probably doesn’t need saying.
So in the meantime, this behaviour can seemingly be disabled via this URL;
chrome://flags/
Select;
Password filling across grouped websites
And select “disable” from the drop-down menu. A quick shortcut to the password your browser is storing;
chrome://password-manager/passwords/
How to spot this
If you look down your list of passwords using the above link, some may say (n Accounts) after them, these are the possibilities. Problematic entries look something like this where you end up with one username / password saved against three sites. (real entry, old / dead domain)
Anybody else had a problem with this?
1 post - 1 participant