There is a catastrophic bug in Chrome’s password manager, where it confuses and overwrites passwords belonging to websites whose URLs use different sub-domains of the same domain name.
For example, when you use two entirely different login pages, such as https://www.example.com/wp-login.php and https://cameo.example.com/login, you can lose the password for the former.
It is possible to persuade Chrome to get this right, but it takes a little effort.
Contents
The problem
When you log in to a website, Chrome offers to save your password for you. Depending on your Chrome settings it may then share this across multiple computers. But if you then log in to a different site which is a different sub-domain of the first, with the same user name (typically your email address), and you say yes to saving its password, it overwrites the earlier password with the new one.
For example, in the following, example.com is the domain name.
Log in to https://www.example.com as me@ddje.uk with password mypassword1. (Please, don’t ever use a password like that: it is completely insecure; this is just for illustration). www.example.com is a sub-domain. Chrome saves your password against site https://www.example.com when you allow it to.
Then log in to https://cameo.example.com as me@ddje.uk with password mypassword2. cameo.example.com is another sub-domain. Chrome again offers to save this password. When you agree, it does not save a new entry for https://cameo.example.com but instead changes the password for https://www.example.com to mypassword2, losing your original password in the process.
This bug has been present in Chrome for years. It is not a Cameo problem, but often shows up with Cameo because it commonly shares a domain with your public web site. That is often WordPress or similar, so also has a log in.
The solution
You have to manually add or amend the entries in Chrome’s password manager: see below. Once you have two separate entries with the correct sub-domains, Chrome then appears to work properly. (However take care accepting any changes you make to passwords afterwards: it is not clear what Chrome does in those circumstances).
If you have more than two sub-domains (e.g. you also have test-cameo.example.com), you need to add a further entry for each.
Changing and adding passwords in Chrome’s password manager
- Click the menu button (three vertical dots) at the top right of the Chrome window (Fig 1: 1), and select Settings (Fig 1: 2).
- In settings, choose Autofill from the menu on the left (Fig 1: 3), then Password Manager. Or just use the search bar to search for password.
- If you have already hit the problem, locate the entry (e.g.
www.example.com) in the Saved Passwords list (there is a search box if you have a long list: Fig 1: 6). - Click the three dots alongside and choose Edit Password (Fig 1: 4; you may be asked for your computer PIN or password to allow this – be patient, it can take a while for the box to do this to pop up).
- Correct the password for that sub-domain if it is the wrong one, and Save (Fig 2). You can click the eye icon to see the password.
- Click the Add button at the top of the list of saved passwords (Fig 1: 5).
- Enter the site (the second sub-domain name, e.g.
cameo.example.com), username (typically your email address) and the separate password for that site, then Save.
Better solutions
A better solution would be to use a proper password manager. The free version of BitWarden would probably be adequate in most circumstances. 1Password has a good reputation, but does not have a free tier. LastPass suffered from catastrophic data leaks in late 2022; I cannot recommend them any more.
Also, don’t forget there are multiple ways to log in to Cameo with methods other than a password:
- use biometrics or a hardware key on your desktop, or
- use FaceID or TouchID on your phone to authenticate your Cameo login.
What not to do!
Don’t try to solve this problem by using the same password for both sites. Always use unique, strong passwords for all sites (and turn on two-factor authentication where available).