New issue
Advanced search Search tips

Issue 800443 link

Starred by 11 users
Status: Available
Owner: ----
Cc:
battre@chromium.org
ios-bugs@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac , Fuchsia
Pri: 3
Type: Bug

Blocking:
issue 714610



Sign in to add a comment

PSL matched and linked credentials are hard to unlink

Project Member Reported by vabr@chromium.org, Jan 9 2018 
Reading some of the complaints towards the end of  bug 385619 , users are hitting the following scenario:

(1) They have username/password pair stored both on sub1.domain.tld and on sub2.domain.tld.
(2) The user updates the password on sub1.domain.tld.
(3) Chrome updates automatically also the credential stored for sub2.domain.tld.

For cases where the accounts on sub1.domain.tld and sub2.domain.tld are in fact one and the same account, this is working as intended and necessary to make the feature work. This is the majority use-case and needs to be preserved.

The other case is when the accounts on sub1 and sub2 are different, yet the username/password pair is identical for them. One thing which I still need to clarify is: how does this happen? Is it the case that the user is forced to use the same password on both sub1 and sub2, yet later needs and is allowed to make them different? We need to understand this and how frequent it is before we can decide on the best solution for this use-case.

I'm also adding battre@ who mentioned disabling PSL matching recently and might know more details about that and who's going to work on that.

Comment 1 by vabr@chromium.org, Jan 9 2018 

Steps with real domain names:

(1) Save user/a on http://1.chromium-test1.appspot.com/testing/psl-matching/login
(2) Save user/a on http://2.chromium-test1.appspot.com/testing/psl-matching/login
(3) Save user/abcdefg on http://2.chromium-test1.appspot.com/testing/psl-matching/login, accept the prompt to update the credential

After step (3), user/abcdefg is saved both for 2.chromium-test1... and 1.chromium-test1...

Comment 2 by battre@chromium.org, Jan 10 2018 

I doubt a bit that these reproduction steps would have led to the 20 stars on  bug 385619 . They sound a bit esoteric to me.

Comment 3 by immueggp...@gmail.com, Apr 6 2018 

I would like to add a possible example of use:
Let's say you visit an online shop. You use your account password at https://signin.verysecureshop.com/ to sign in. Then when you buy something, you use your payment password at https://checkout.verysecureshop.com/.
There are also some sites where a user is required to set an extra password and use it when doing some critical operations. 
So basically, it's very likely that a user ends up having multiple passwords for the same account.

Comment 4 by davidin...@gmail.com, Aug 10 

A really good example is Slack which uses workspace.slack.com.  For example, I could have the following workspaces:

projectteam.slack.com
department.slack.com
family.slack.com
friends.slack.com

All these have separate logins using email+password.  My email is always the same but the password is different for each.  If I change the password for one workspace, Chromium will change the password for all workspaces which means I can't login to the other workspaces anymore.

Sign in to add a comment