2023-07-13

Equivalent domains in password managers

Equivalent domains is a feature of most password managers that you should be using, both for your security and your convenience.  (1Password notably does not support this feature.)  I'll reference Bitwarden below since I consider it the best password manager for most people.

Go to Account Settings in the Bitwarden web vault (but not in any of the apps) and you'll see a page called Domain Rules.  It lets you configure equivalent domains.  The top of the page is for equivalent domains you add to your account while the bottom other page shows equivalent domains that are built into Bitwarden.

As an example, these are some of the equivalent domains that I have loaded into my Domain Rules page:

  • canadiantire.ca, sportchek.ca, marks.com
  • expedia.ca, expedia.com
  • opentable.ca, opentable.com
  • pinterest.com, pinterest.ca
  • microsoft.com, bing.com, hotmail.com, live.com, msn.com, windows.com, windowsazure.com, office.com, skype.com, azure.com, onenote.com, onedrive.com, microsoftonline.com

Each row is two or more domains that you're telling Bitwarden to treat as equivalent for autofill.

Why is using equivalent domains good for security?  Let's say you do not have this row configured: <hertz.com, hertz.ca>.  If you have created a Bitwarden login for hertz.ca and you later want to use the hertz.com website, BW won't autofill for you, because the domains don't match.  So you'll be forced to manually copy and paste the password, which is always a very dangerous thing to do.

Be very careful adding when new rows, or new domains to existing rows!  If you add a row <mybanksite.com, evilsite.com>, bad things will happen: if you are on an evilsite.com page, BW will happily autofill your userid and password for mybanksite.com!