Possibility to take only the domain and not the FQDN

[kidburglar]

Hello,
I saw today that on websites lesspass take always the fqdn from URL

• https://doc.domain.com -> doc.domain.com
• https://test.domain.com:8080 -> test.domain.com:8080

I think that in this kind of configuration all the websites under "domain.com" need to have the same password.

I think an option can be enough but the possibility to define her own regex can be nice too.

Cheers.

[Kcchouette]

@kidburglar it seems it's an issue that was fixed, but remodified for reason I do not understand.

• v2 has been modified in Subdomain and protocol should be stripped #45 like you want
• and then modified again in Passwords are generated differently after the Chrome extension was updated #148 (and other commit) like actually

@guillaumevincent It would be good to add in the wiki the functionality you want for this case and to explain why.

[guillaumevincent]

We reintroduce this because the modification change every generated password. So it's a bug :)

I always wanted to keep only the domain name and remove the sub domain.
If we introduce this, it will force us to add a version 3 :(

Before any new version we are working on a password migration tool (but shssh it's a secret)

[SoftwUser]

@guillaumevincent

So we'll have a V3 anytime soon?
As I have been planning to redesign my passwords these days, I wonder if I will be safe when manually removing the subdomains for now.

In other words:
Will the result of V2 minus removed subdomain be equal to V3 ?

[guillaumevincent]

@SoftwUser No we will not got a version 3 soon.

Here the roadmap:

• @edouard-lopez and me are working on a product: LessPass Move. It will help you to migrate from v1 to v2 or change your master password. This is a tool we need before anything else.

• soon after LessPass Move we are dropping version 1

After this (~3/4 months) we are going to see what is the next step, maybe scrypt + this feature, maybe something else.
I want to improve the user experience with a redesign of the interface (dark/white) interface. Dark not connected, and white connected.

So no v3 soon,

[kidburglar]

@guillaumevincent
It's not directly bind to this issue, but how will work LessPass Move ?

I had in mind that if we want change our master password we only need to change our current LessPass generate password with the new one. So I'm curious to know what would be the reason of LessPass Move ?

[guillaumevincent]

We will make a post about this soon, but in short LessPass Move will help you to change all your generated passwords. You will connect to a LessPass Database or import list of sites, enter your master password and it will generate old and new passwords. You will have to copy paste the passwords or the tool will try to change directly password on the site.

[edouard-lopez]

I'm OK with the idea of an option to decide how to manage the URL.

However, I against requiring users to input regex as it is opposite to the KISS principle we aim for in the app. Regexp are damn complicated thing and highly prone to error. Thus, even if errors are due to badly written regex, it will create frustration against the app.

I'm closing, as it's not something we will be working on right now or in the coming 3-4 months.

[panther2]

@guillaumevincent
@edouard-lopez

Sorry for resurrecting an already closed issue but I stumbled into this subject only by now and have a problem of understanding, why a V3 would be necessary:

Today (V2) when I browse to for example
subdomain.example.com
LessPass will fetch the characters subdomain.example.com
and together with the other input will create a password.

But today the user has the ability to manually alter the site name in the web interface or browser extension to

example.com or whatever.example.com or 12345.example.com.999

resulting of course in different passwords because of different characters in the site name.

But this input always is a responsability of the user (who has to keep in mind what he finally accepted as a site name - or he has to use the connected mode), regardless of the LessPass-version.

So if there is a V3 where the only change is the handling of the sitename (reducing subdomain.example.com to example.com ) the resulting password should be the same as in V2 (when manually reducing the sitename to example.com).

Or vice versa - in such a V3 the user could manually extend example.com back to subdomain.example.com and then get the same password as in V2.

So there would be no need to recreate the passwords only due to this change (handling of the site name) ... or am I missing something?

Thank you.

[guillaumevincent]

User use web extension site autofill feature and don't modify the site. If we modify the autofill feature to use fqdn it will break user generated password.

V3 for only subdomain is not enough. New version every 6 months is not good for LessPass.

We are working on LessPass Move and then we will see if we introduce V3.

I reopen this one, but we are not going to introduce a new version without LessPass Move.

[kidburglar]

@guillaumevincent
If you are ok to make options, why not make an option now and set the value to keep subdomain as default.

So people that will not modify their password may keep them and for the others they may use the option to switch to remove subdomain.

I think that the best solution for everyone.
Cheers.

[panther2]

@guillaumevincent

User use web extension site autofill feature and don't modify the site.

Well, some users do, some users don't, I suppose.

I am happy if we don't get a new version (V3) only because of this domain handling issue, so no need to keep this issue open, IMHO. I just wanted to make sure that I had understood that subject correctly.

I fully agree that new versions (in whatever frequency) are not good for the LessPass conception.
New versions should be introduced only because of security issues (such as from V1 to V2), IMHO.

[guillaumevincent]

I agree and maybe find a way to customize options like using fqdn option

[Kcchouette]

Hello

User use web extension site autofill feature and don't modify the site.

I think it's a normal and ideal case, indeed, but during of my use of LessPass during 2 weeks, two of my favorite website change their website domain name (they said .io is hype 😕 )

So for theses websites I change the password xxxxx.com to xxxxx (in the case they'll change again in other thing).

If you are ok to make options, why not make an option now and set the value to keep subdomain as default.

It can be a good idea.

[guillaumevincent]

@Kcchouette @kidburglar yes it's a good idea we will add option for FQDN feature after LessPass Move

[edouard-lopez]

To sum up option should offer:

• only domain (e.g. google)
• domain and tld (e.g. google.com)
• FQDN (e.g. accounts.google.com)

[Kcchouette]

@edouard-lopez yes, with the third option (FQDN (e.g. accounts.google.com)) as a default option

[guillaumevincent]

• only domain (e.g. google)

This one is hard to maintain because you will need a list of popular TLD

[kidburglar]

@guillaumevincent
I don't think it will be difficult.
If you can strip the subdomain from the FQDN you only need to remove what there is after the "."

[guillaumevincent]

@kidburglar unfortunately, this is not so simple. TLD could be complex.
https://bbc.com/ and https://www.bbc.co.uk/ and https://www.bbc.com/ should return bbc.

There is no easy solution to get only bbc with a regex if you don't get a list of valid TLD.

[kidburglar]

@guillaumevincent
If it's possible to remove only subdomain you will have something like bbc.co.uk
If you remove what you have after the first "." you will strip all the TLD.

Edit: I think that it's the stripping subdomain part that it's difficult but when it's done the TLD will not be a real problem.

[Kcchouette]

As @kidburglar has said, if you have domain and tld (e.g. google.com or google.co.uk), just keep the part before the first dot (google in my two cases) to only have the domain

Edit: the most difficult part is to have the domain and tld (what's in the case of v1.account.domain.com and v2.account.domain.com)

[edouard-lopez]

My bad @guillaumevincent, this is indeed not a trivial deed to accomplish, I will update.

For info check out:

• Get the subdomain from a URL @ StackOverflow
• The URL API doesn't provide such thing and is still experimental anyway.
• IPv4, IPv6 or domain nawe

  A "host", consisting of either a registered name (including but not limited to a hostname), or an IP address. IPv4 addresses must be in dot-decimal notation, and IPv6 addresses must be enclosed in brackets ([ ]).[13][b]
  https://www.wikiwand.com/en/URL

[guillaumevincent]

@kidburglar there is a ton of strange TLD see list existing TLD

The problem is not trivial, if you get www.api.pvt.k12.ma.us the domain is api or pvt or k12 or ma?

`pvt.k12.ma.us` is a TLD so domain is api

---

Now domain of api.pvt.lib.ny.us ?

`lib.ny.us` is a TLD so domain is pvt

This is the reason why there is project like https://publicsuffix.org/

[Kcchouette]

@guillaumevincent if you can easily maintain domain and tld (e.g. google.com) for your two examples, having only the domain is trivial.

www.api.pvt.k12.ma.us

if you can say the domain and tld is api.pvt.k12.ma.us, then by keeping the FIRST world BEFORE the dot, you have the domain, so the domain is indeed api

Now domain of api.pvt.lib.ny.us ?

Same, if you can say the domain and tld is pvt.k12.ma.us, then by the exactly same operation from above we can say the domain is pvt.

[guillaumevincent]

For our purpose we will probably need a list of most used TLD (.com, .co.uk, etc) and get:

• only domain (e.g. google)
• domain and tld (e.g. google.com)
• FQDN (e.g. accounts.google.com)

[guillaumevincent]

@Kcchouette I said:

There is no easy solution to get only bbc with a regex if you don't get a list of valid TLD.

So yes with a valid TLD list it will be easier to get domain name without TLD

[Kcchouette]

I'm probably a bit confused by what you are saying, so here a sum-up post:

option should offer:

    only domain (e.g. google)
    domain and tld (e.g. google.com)
    FQDN (e.g. accounts.google.com)

• For the FQDN, the v2 is build like that now (so no new implementation)
• For domain and tld, I don't know how you can do that
• For only domain: it's For domain and tld.split(".")[0] (so a easy implementation, that depends on the precedent one)

And now, in which case are we talking, the domain and tld one?

@edouard-lopez @guillaumevincent

[edouard-lopez]

I reckon URL parsing problem is out of the scope of LessPass and should be a different project altogether.

@Kcchouette feel free to start a project to solve this issue.

[SoftwUser]

A prominent website is for example www.amazon.co.uk (FQDN)

So how would that translate into

• domain and tld (should be amazon.co.uk and neither amazon.co nor co.uk)
• domain only (should be only amazon IMHO)

That does no way look to be easy to do IMHO.

I vote for focussing on domain.tld (difficult enough) and FQDN (as it is now).
Those who want only domain may consider themselves what they manually remove from FQDN to meet their needs at best.

[guillaumevincent]

@Kcchouette your solution for only domain doesn't work

https://account.google.com > "account.google.com".split('.')[0] > account instead of google
https://test.slack.com/ > "test.slack.com".split('.')[0] > test instead of slack

There is no easy solution.
v2 could be easily improved by removing prefix www. from FQDN.

If we want to offer only domain (google) or base domain + TLD (google.com) we will need a list of valid TLD. There is no other solution.

I suggest reopening an issue when we move forward on LessPass Move.