CRW

Home Wiki

1Password

View on consumerrights.wiki ↗

Contents10
  1. Consumer impact summary
  2. Freedom
  3. Privacy
  4. User security
  5. Business model
  6. Market control
  7. Incidents
  8. 1Password Okta instance breach, discovered (29 Sept 2023)
  9. See also
  10. References
1Password
Basic Information
Release Year 2006
Product Type Software,Password Managers
In Production Yes
Official Website https://1password.com/


1Password is a multi-platform subscription-based password manager developed by AgileBits Inc. It is often used due to the combination of a master password with a second secret key generated on-device (i.e., not in the cloud). Unlocking a user's vault therefore requires both pieces of information to decrypt and access. It also supports conventional two factor authentication using either software tokens or hardware-based tokens (e.g., Yubikey, Google Titan), which can be added to further secure a vault. 1Password is closed-source and is not self-hostable.

1Password, in addition to passwords, is capable of storing myriad site credentials including one-time codes, emails / user names, and additional notes.[1]

Consumer impact summary

Freedom

"You can export your 1Pasword information at any time. If you discontinue payment, your account will enter a frozen (read-only) state that still allows you to retrieve and export your information. Your export will be limited to the information you saved in 1Password. We can’t guarantee that vault permissions, group structures, and other details about relationships between people and information are included."[2]

Users can import existing passwords from other managers and export passwords and other content in formats suitable for importing into other managers. 1Password is not a walled-garden. Allowing the subscription to expire places an account in a read-only state, where the user can still download their passwords and other saved content.

Privacy

From "Your Rights" section of the privacy policy:

"You have the right to your information. We'll never lock you out of your 1Password account, but we're unable to decrypt it for you."[2]

This implies anything inside it is hidden from the company, which is great as it is a password manager.

"You have the right to know what we know. You have the right to know what we know about you and see how we handle that information. If you make such a request, you'll receive a screenshot of what we can see about you in our systems. To protect customer privacy, these requests will be carefully authenticated beyond demonstrating control of the registered email address."[2]

Possibly, such a request will need to contain identifying information you have to provide in order to use the service such as email, name, address, and payment information.

User security

Users should be aware that using password manager browser extensions increases their vulnerability to clickjacking[3] where the autofill feature of password managers is abused to trick the password manager into leaking user credentials and other sensitive details.[4] It is considered best practice to copy in these elements on trusted pages manually. [3][4][5]

Business model

Subscription based, has a strong emphasis on enterprise credential management,[6][7] especially for enterprise secret management (e.g., SSH keys, authentication tokens, API keys, etc.).[8][9][10][11][12]

Market control

1Password claims on its website front page that it is industry leading, although it does not cite any public market researches or 3rd party audits. However, a bug bounty program exists on HackerOne.[13] Market studies and reviews (as of October 2025) show that it has significant competitive control.[14][15][16]

Incidents

This is a list of all consumer protection incidents related to this product. Any incidents not mentioned here can be found in the 1Password category.

1Password Okta instance breach, discovered (29 Sept 2023)

On September 28, 2023, the Okta Help Center suffered a security incident. During the breach, the attackers were able to extract sensitive data from the customer support system.[17]

1Password, which uses an Okta instance, published a blog post disclosing an internal investigation of the breach.[18] According to their disclosure, the attackers' actions triggered an email to a member of the IT team who acted swiftly to contain the breach. The company reported that no user data was exfiltrated or decrypted.[19]

See also

References

  1. "Password Manager for Individuals & Families". 1Password. Archived from the original on 2025-10-30. Retrieved 2025-10-21.
  2. 2.0 2.1 2.2 "About 1Password and your privacy". 1Password Support. 2025-02-27. Archived from the original on 2025-09-05. Retrieved 2025-09-05.
  3. 3.0 3.1 Toulas, Bill (2025-08-20). "Major password managers can leak logins in clickjacking attacks". Bleeping Computer. Archived from the original on 2025-09-29. Retrieved 2025-09-05.
  4. 4.0 4.1 Naprys, Ernestas (2025-08-21). "Major flaw affecting password managers: they autofill credentials for attackers". Cybernews. Archived from the original on 2025-10-19. Retrieved 2025-09-05.
  5. Tóth, Marek (2025-09-11). "DOM-based Extension Clickjacking: Your Password Manager Data at Risk". marektóth. Archived from the original on 2025-10-20. Retrieved 2025-10-21.
  6. "1Password Device Trust". 1Password. Archived from the original on 2025-10-30. Retrieved 2025-10-21.
  7. "XAM: Extended Access Management". 1Password. Archived from the original on 2025-10-20. Retrieved 2025-10-21.
  8. "1Password for SSH & Git | 1Password Developer". 1Password Developer. Archived from the original on 2026-02-02. Retrieved 2026-02-10.
  9. "1Password for VS Code | 1Password Developer". 1Password Developer. Archived from the original on 2026-02-08. Retrieved 2026-02-10.
  10. "1Password Developer Watchtower | 1Password Developer". 1Password Developer. Archived from the original on 2026-01-26. Retrieved 2026-02-10.
  11. "1Password SDKs | 1Password Developer". 1Password Developer. Archived from the original on 2026-01-26. Retrieved 2026-02-10.
  12. "1Password Developer". 1Password Developer. Archived from the original on 2026-01-26. Retrieved 2026-02-10.
  13. "1Password - CTF | Bug Bounty Program Policy". HackerOne. 2024-12-09. Archived from the original on 2025-10-04. Retrieved 2025-10-21.
  14. "Password Management Market Size & Share Analysis - Growth Trends & Forecasts (2025 - 2030)". Mordor Intelligence. Archived from the original on 2025-09-07. Retrieved 2025-10-21.
  15. Bouman, Amber; Spadafora, Anthony (2025-09-11). "The best password managers in 2025". Tom's Guide. Archived from the original on 2025-10-12. Retrieved 2025-10-21.
  16. Key, Kim; Henry, Alan (2025-10-14). "The Best Password Managers for 2025". PCMag. Archived from the original on 2025-10-17. Retrieved 2025-10-21.
  17. Bradbury, David (2023-11-29). "October Customer Support Security Incident - Update and Recommended Actions". Okta Security. Archived from the original on 2024-07-20. Retrieved 2026-01-05.
  18. Canahuati, Pedro (2023-10-23). "Okta Support System incident and 1Password". 1Password Blog. Archived from the original on 2025-09-05. Retrieved 2025-09-05.
  19. "Security incident report" (PDF). 1Password Blog. 2023-10-27. Archived from the original (PDF) on 2025-09-20. Retrieved 2026-01-23.
Filed under