BestSoftwarePicks
English Français

Is 1Password safe?

Laurent - Senior System Engineer
Laurent · Published June 2026

Yes, 1Password is safe. It uses AES-256-GCM encryption with a unique Secret Key architecture: a 128-bit random value that lives only on your devices and never touches 1Password servers. Even a complete breach of 1Password infrastructure cannot decrypt vaults without that Secret Key. The 2023 Okta-related incident proved the design works: attackers got internal access and could not access any customer data.

Timeline of how 1Password built its security posture

  • 2005: Founded in Toronto as a Mac-only password manager called "1Passwd."
  • 2013: AES-256 encryption introduced as the standard cipher across all 1Password vaults.
  • 2017, Secret Key architecture launched. This is the differentiator. In addition to your master password, 1Password generates a random 128-bit Secret Key when you create your account. The Secret Key is stored only on your devices and on your printable Emergency Kit; 1Password's servers never see it. The encryption key for your vault is derived from BOTH your master password AND the Secret Key, meaning a server breach is not enough to decrypt vaults.
  • 2019: First public penetration test by Cure53. Subsequent audits in 2020, 2021, 2022, 2023, 2024. Reports are published publicly.
  • 2021, SOC 2 Type II certified. Annual recertification since.
  • 2022: Series C funding ($620M at $6.8B valuation). Notable because 1Password remained a private company with clear control, rather than being acquired and absorbed into a security conglomerate.
  • September 2023, the Okta-related incident. Detail below.
  • 2024: Bug bounty program expanded. Single-payout records for critical findings raised to $1M+.

Why the Secret Key matters

Most password managers use a master-password-only architecture. Your master password derives the encryption key for your vault. If a server breach exposes vault files AND attackers somehow learn or guess your master password, the vault is decryptable.

1Password's Secret Key adds a second factor to the key derivation. Even with the vault file AND your master password, attackers can't decrypt without the Secret Key, which exists only on devices you've explicitly logged into. There is no recovery if you lose all your devices and the Emergency Kit; this is the deliberate trade-off. The benefit: a 1Password server breach is mathematically not enough to expose customer data.

Bitwarden, Dashlane, NordPass, and Proton Pass do not use this architecture. Their vaults are strong, but they're "one good master password" away from decryptability if the server data leaks. 1Password is "one good master password AND a 128-bit random value the attacker also has" away, which is effectively impossible.

The 2023 Okta-related incident, in detail

In September 2023, an attacker accessed 1Password's internal IT systems via a compromise at Okta (the identity provider 1Password used for employee single sign-on). The attacker obtained a HAR file containing 1Password employee session tokens. They then attempted to escalate within 1Password's tenant.

What the attacker could do: log in as an internal 1Password admin during the active session window, view some internal company data, attempt actions in 1Password's internal Okta tenant.

What the attacker could NOT do: access any customer vault data, decrypt anything, exfiltrate customer Secret Keys (because they exist only on customer devices, not on 1Password's servers).

1Password detected the abnormal admin activity within hours via internal alerting, rotated all credentials, terminated the session, audited every action the attacker took, and published a detailed incident report. No customer was affected. The episode is widely cited in security circles as a model of "design that contains the blast radius of an incident."

What 1Password does not protect against

Honest caveats. The Secret Key architecture is excellent against server-side breaches. It does not protect against:

  • Phishing for your master password. If you type your master password into a fake 1Password page, the attacker has it. 1Password's autofill and domain-matching mitigates this but doesn't eliminate it.
  • Malware on your device. If a keylogger or infostealer is running on your computer, it can capture your master password and (eventually) your unlocked vault. This is true of every password manager.
  • Physical compromise of your device while unlocked. If you walk away from an unlocked computer with 1Password unlocked, anyone present can see everything.
  • You losing your Secret Key entirely. If you forget your master password AND lose your Emergency Kit AND have no remaining logged-in devices, your vault is irrecoverable. This is the trade-off of the architecture.

Verdict

1Password is the most breach-resilient consumer password manager in 2026, full stop. The Secret Key architecture is a meaningful engineering decision that most competitors haven't replicated. The 2023 Okta incident was a stress test 1Password passed convincingly. If you're paying for a password manager and breach resistance is your top concern, 1Password is the answer. If cost is the primary concern, Bitwarden is also safe and dramatically cheaper, just with a different security model.

Read the full 1Password review

We tested 1Password against security architecture, app experience, and feature breadth. The full review covers everything beyond this single question.

Read our 1Password review → Visit 1Password →

This page contains affiliate links. If you purchase through a link on this page, we may receive a commission at no extra cost to you. This does not affect our rankings or reviews. Learn more

Related questions

← All FAQs