1Password Security: What They Do Right
My History with Password Managers
I've been using 1Password since the month LastPass got bought by LogMeIn in 2015; I was a paying user there for five years (they started in 2008, and I have a receipt for LastPass Premium from January 15, 2010 and a support ticket response email I got from a bug report from LastPass Co-Founder and CTO Robert Billingslea on Oct 20, 2010!). I wasn't thrilled with the acquisition and I believe my reasons have been vindicated, but I'm not here to discuss LastPass, I'm here to discuss 1Password from AgileBits, which is where I ended up. Actually my earliest 1Password receipt is from December 14, 2012 when I bought version 4.0.2, though I didn't switch to using it full-time immediately! But I've been very happy with them and their approach to security ever since. With that said, keep in mind that security is always about risk reduction, not perfection. There's no guarantee 1Password won't be compromised tomorrow, but that's not unique to them. However, what I want to do is highlight a few of the features, including security, that are the reasons I've been happy with them personally for a long time and am why I continue to use them today both at home and work.
1Password Business and Their Internal Security Expert
At work we were beta testers of 1Password Business before initial release, so I've had a long history with the personal and business products. I used to be active on the 1Password Forums, and I'm very happy they had Jeffrey Goldburg as their security guy for 13 years (he left last year, in 2024 after 13 years) because he made sure their actual algorithms and implementations were done well and securely, since implementation of even the best algorithms is usually where software security goes wrong (you know, bugs).
While Jeffrey was at AgileBits, he did a bunch of public speaking and blogging and writing, remaining involved in both their customer community as well as the security and math communities. In part because of his input but also the company culture that supported hiring him in the first place, they've consistently shown that they prioritize actual security done correctly over getting features out the door, but they also spend time and energy on the design, usability, and speed of the application. The fact that the company has paid to have an expert of this type on staff since nearly their beginning is something I've always appreciated because they're putting their money where their mouth is.
Continue reading to see my favorite features, how I've reviewed their security, and some of the other features I've found useful, from security, user, and developer standpoints.
My Favorite Features
One of my favorite 1Password features is the ability to offer a combined "view" of any set of multiple vaults across any number of logged in accounts (work and personal, for example, or even a second or third company) at one time to allow flexible configuration and usage is great and something some of their major competition doesn't offer at all.
1Password also offers flexible and fast mobile apps, was one of the first to integrate with iOS for password filling (they invented the auto-fill API for third party apps that Apple basically Sherlocked and expanded to everyone eventually) which they shared publicly and let other vendors use even before Apple made it official.
On Windows and Mac, you can optionally install the 1Password Extension on each browser individually and it will work, but if you install the local thick client, it actually locks and unlocks all your browser extensions securely at the same time, so if one is unlocked they all are and vice versa, something that's quite handy for those of us using multiple browsers (and something else I've not seen in the competition I've used).
Even with a couple thousand items in multiple 1Password accounts, I've never seen any speed issues on mobile or any reasonably fast computer, despite all the individual item-level encryption and decryption going on continually, and the speed on mobile is just as good.
Freebies
Although there are no free 1Password accounts, which I'm fine with because for the price of a nice cup of coffee each month I'm willing to pay the company I'm putting a lot of trust in, what they do have is free Families accounts for up to 5 users in a household included with every Business license, a $5/mo value, for every employee's Business account. Making it easy for employees to save their stuff and keep it should they be terminated and lose business access (they can freely export/move it in Read mode elsewhere, or they can pay for it, should they lose the Business sponsorship). I know several competitors that do this too, but the work to switch between work/personal accounts is usually not as easy and seamless, making it hard to adopt both. If an employee uses the account personally, they're learning skills and habits that are directly applicable at work, and if they use the account at work, they can apply those skills to keep their personal life more secure at no extra cost, making it a win-win offer!
But What About Security?
OK, but what about the security of the data, arguably the number one most important thing when considering where to save your stuff? I already mentioned nothing is perfect, but the 1Password track record is quite good.
I'm not aware of any specific security incident from 1Password that resulted in the company losing user vault data directly as of this writing, though I'm perfectly willing to be corrected on this if I'm misinformed. I have done multiple deep-dive searches over the years to periodically check on any public information to the contrary. They have had some security incidents over time that have not resulted in actual data breaches, because of their layered security design.
Okta Breach
There was a security incident in 2023 due to a compromise at Okta, a company 1Password (and thousands of others) relies on for authentication internally. In the Okta incident, they confirmed no user data was compromised, just some of their support team. Of course you can find negative opinions as well, even some that make some good points, and it sounds like they learned from it.
Cloudbleed
But the biggest incident I recall is one where CloudFlare had a bug in 2017 dubbed Cloudbleed (with more information in another blog post the next week), where CloudFlare had a memory leak that served some content from some CloudFlare-protected websites into other websites destined for other people accidentally (so a TLS-encrypted page sent to one user in some cases contained the contents of a page destined for another user), and this happened to 1Password because 1Password was using CloudFlare for content delivery including vault sync data to 1Password Cloud.
However, because 1Password triple-encrypted all the actual vault data in transit themselves (with CloudFlare's TLS being just the outermost layer), Cloudbleed resulted in NO lost or exposed data for 1Password. The 1Password Cloudbleed postmortem called out how they remained secure even as many other companies had data compromised because of Cloudbleed.
Other Security Items
There have been a few other security issues with 1Password over the years. A local 1Password application vulnerability was fixed in 2024 with CVE-2024-42219, for example. This means a malicious application on a Mac with 1Password could have bypassed some protections to access 1Password data on that machine. This is an issue and they fixed it promptly, but a weakness requiring a malicious app on your computer is quite different than a compromise of a web service that could affect thousands of users.
Vault Encryption and Private Keys
Just like in the Cloudbleed incident, because 1Password encrypts all of the Vault data with encryption keys unique to you, derived from your Master Password and a random string they call the Secret Key, and these are in essence the keys to the items saved in your vaults, and because these keys are never sent to the 1Password Cloud servers (only the garbled encrypted versions, without keys, ever leave your computer or device), such a breach would make a mass data loss incident quite difficult, since an attacker would only be stealing encrypted data they couldn't decrypt.
This means your computer and devices could be attacked to compromise your information (this is true regardless of how you store credentials, but at least 1Password keeps them locked up when not in use and adds the protections it can), but global attacks on the service are much less likely to be fruitful.
One could envision a supply-chain attack where someone gets malicious code into the 1Password apps and uses that to send data where it shouldn't go, or an attack that siphons data out of the browser extension through a bug in either the browser or extension security something that was an issue briefly for LastPass in 2019. This is why you need to trust the writers of your software, and also believe that they are imperfect and will make mistakes. But a vendor that pays attention and tries hard is likely to do a better job than one who doesn't start and stay on top of security in a meaningful way.
Service Accounts, Command Line, and Secrets Management
The other thing 1Password does very well is their 1Password CLI, a command-line tool that allows users and developers to access their credentials from 1Password vaults from a command line or script. This is incredibly helpful in Secrets Management, allowing scripts to be written for automation that don't actually contain the credentials for APIs or other third party services inside the script code directly where it would be easier to steal, or accidentally be shared on GitHub, or some similar fate. Instead, developers can use 1Password CLI and some accompanying integration libraries to access the credentials they need from 1Password vaults on-demand when scripts run, either by authenticating to 1Password at the start of their script runs, or by using a service account that has access to the vaults they need, both of which are available from 1Password with paid accounts. Some competitors, like Keeper Security, have Secrets Management as a feature, but last time I checked, the feature cost over $100 per month at it's cheapest price, rather than being included like it is with 1Password Business accounts (and even Families accounts get the feature with lower usage limits).
Another boon to developers is the close integration of 1Password with SSH and Git, allowing you to use your 1Password vaults to store your SSH keys and Git credentials for on-demand use as needed.
Conclusion
I've been asked a few time why I chose 1Password over the other password managers out there, so I figured I'd put some of the answers down in one place. They aren't all development related, even though this is my development blog, but some of them are as I make heavy use of 1Password CLI to keep secrets out of the scripts on my system! There are other good password managers out there, and many bad ones. I've done extensive research and stand behind my choice being a good one, while reminding you my initial statement that there is no such thing as perfect security. Trusting a password manager does require a lot of confidence, however, even though using any of the good ones is a huge step up from trying to remember passwords and not using one at all. Humans are just that bad at passwords. And, I'm happy that 1Password now has a program that lets us provide 1Password to our business clients now as well, though I requested the option a few years ago and it only recently came to fruition. But they've done a great job with that program as well!