1Password has been around for almost two decades, and it’s changed a lot in that time. What started as a perpetual license with self-hosted vaults has morphed into a subscription service entirely hosted on AgileBits’ servers (1Password’s parent company).
It’s remained resilient in the face of high-profile password manager breaches, due in no small part to its zero-knowledge security architecture, and it has continued to evolve with new features, including Travel Mode, which is quickly becoming one of the marquee offerings. Even with such drastic changes, 1Password remains one of the best password managers on the market.
More Than Just Passwords
Most password managers let you store more than just passwords, and 1Password is no exception. There are presets available for medical records, server information, your bank account, your passport, and so much more. Ultimately, these are all just text fields with a special icon, and you’re free to add or remove fields as you see fit. Outside of text, entries in 1Password break down into a few main categories:
- Logins: These are different from passwords in that they’re tied to a URL or app, and they’re used for autofill. Passkeys, which 1Password supports, fall under this category.
- Identities: 1Password supports automatic form filling, and it pulls from the identities you have set up in your vault.
- Credit Cards: You can store card information in 1Password, as well as autofill those details on desktop and mobile.
- Documents: You can attach documents to any entry in your vault (including the dedicated Documents preset). You get 1 GB of encrypted storage for these attachments on an individual account, and 1 GB per person on a family plan.
That gives you a wide view of the kind of data you can store in your vaults, as well as how you’ll need to categorize it for autofill purposes. But 1Password affords you a ton of flexibility. You can add, remove, swap around, and rename fields as you see fit. For example, you can include a note to differentiate multiple logins for the same website, or attach documents to your passport entry.
Two things stand out. First, 1Password can store one-time passwords. If you have accounts set up with Google Authenticator or some other two-factor authentication utility, 1Password can handle that for you. You just scan the QR code or copy the one-time password over to your login, and it’ll handle all the 2FA work.
The second is passkey support. 1Password can generate, store, and sync passkeys for websites that support them. 1Password also highlights logins where passkeys are available, but you aren’t using them. However, this list is based on 1Password’s own (somewhat dated) database of passkey support.
You have a lot of tools to organize your entries in 1Password, which becomes increasingly important as you continue to use it. I have over 600 entries in my vault, and I should’ve started using the organization tools earlier; that’s on me.
Everything starts with a vault. You can create as many vaults as you want. There may be a limit at some unreasonable point, but 1Password doesn’t technically impose limitations on the number of vaults you can have. I haven’t found much of a purpose to make a ton of vaults for personal use, but they’re convenient to have if you’re sharing entries a lot.
When you create a new entry, it’s automatically segmented into a category based on what entry type you used, but I get far more use out of tags. You can add as many tags as you want to entries, and you can even nest them; for example, nesting a “shipping” tag within your “business” tag. Once the tag is set, you don’t need to individually edit entries. Just drag them to the tag, and they’ll be organized.
My biggest issue with tags is that they’re all the same color in 1Password. You can mark favorites for quick access, but a color selector for tags would make it a bit easier to find what you need at a glance, especially if you create a complex, nested tag structure.
Desktop and Mobile
You have a lot of options to use 1Password on a desktop or laptop. Native apps are available for macOS and Windows, as well as just about every flavor of Linux you could want (including my beloved Arch-based distribution). The easiest way to use 1Password—and the way I’ve used it for years—is through the browser. 1Password has extensions available for Chrome, Safari, Firefox, Edge, and Brave, and you can manage everything you can with the desktop app from a browser window.
1Password via Jacob Roach
Capture and autofill with the extension is basically flawless, at least across Chromium-based browsers and Firefox. I can’t recall a single time since I started using 1Password 5 years ago that it got tripped up on a password field, nor a time that 1Password failed to capture a password I generated when signing up for a new account. At this point, I don’t even see my passwords; they’re generated, captured, and stored by 1Password, and I don’t give them a second thought.
One quibble I have on desktop is 1Password’s automatic login. It’s a recent addition that attempts to sign you in right when you autofill. 1Password fills in your details and selects whatever button it needs to log you in without intervention. 1Password always makes the attempt, but more often than not, the login page throws up an error from the automated process. 1Password sorely needs an option to turn automatic login off.
Hotkeys aren’t perfect in the browser, either. By default, Ctrl+Shift+X (Shift+Command+X on macOS) will open the 1Password extension, except on Firefox, which has a different hotkey. On some systems, it works like a charm, and on others, it doesn’t work at all. It’s not a deal-breaker, but it’s annoying when a hotkey doesn’t work the way I expect it to.
Outside of managing your passwords (and turning on Travel Mode, which I’ll cover shortly), you can also access your Emergency Kit in the browser, which isn’t available in either the desktop or mobile apps. It’s a PDF with your account information, with a QR code and space to type (or write) your account password. Some password managers, such as Keeper and NordPass, have so-called digital legacy features that can pass on your passwords after you, well, pass. The Emergency Kit isn’t as convenient, but it largely serves the same purpose.
1Password via Jacob Roach
Password managers are spotty on Android and iOS in general, and 1Password isn’t above that issue. I’d estimate somewhere around 10 to 15 percent of the fields I encounter on mobile just don’t register with 1Password, sending me out to the app to copy my password over manually. This is more of an issue with how apps categorize different fields and expose them to other apps running, and less of a 1Password-specific problem.
1Password at least attempts to get around this with linked apps. As you start signing into apps using entries in your vault, 1Password will connect your login to whatever app you’re logging into. That doesn’t eliminate autofill problems on mobile, but it helps in the cases where 1Password is looking for a specific URL to autofill, and the mobile app isn’t operating with that URL.
Outside of autofill, using 1Password on Android and iOS is a breeze. You can enter your account password each time you unlock your account if you want, but 1Password supports biometric authentication on Android and iOS, including Face ID support. After a certain amount of time has passed (you can change the amount of time in the settings), 1Password will ask you to re-enter your account password. Thankfully, if you don’t want to use biometrics, you can set up a PIN or passcode, as well.
Quick access is important because 1Password is extremely limited on mobile, and that’s a good thing. Even switching to another app or locking your phone will also lock your account, and if you swipe through your list of open apps, you’ll only see the 1Password login screen.
You’re free to change these settings, from the amount of time you need to re-enter your account password to when 1Password should clear your keyboard history. The defaults work well, but if you can’t be bothered, you can turn these extra security measures off.
Unique Security
1Password may function similarly to other password managers, but its security design is unique. The company has a white paper you can read through for all the gory details, and it maintains a list of certifications and recent penetration testing. The core of 1Password’s security, however, is a zero-knowledge approach. It’s designed in such a way that, even if 1Password wanted to, it has no means to decrypt the contents of your vault.
This works due to what 1Password calls two-secret key derivation, or 2SKD. It takes your account password and a secret key that’s generated on your device when you first sign up for 1Password, and uses them to derive a key encryption key (KEK). Also on your device, 1Password generates a public-private key pair. Your private key is encrypted with the KEK, while your public key is shared.
There are several layers of nested encryption beyond this, but what’s important is that 1Password doesn’t have a copy of your private key, nor a copy of your account password that’s necessary to derive the KEK. And when you authenticate, everything happens locally on your device, including encryption and decryption. Your KEK, master password, and private key never leave your device.
It’s a huge boon for security, but this design introduces some usability hurdles. When you set up a new device, you’ll need to enter both your password and secret key the first time. Once that device has derived a KEK, you’ll only need to enter your password going forward.
One disappointing aspect of 1Password’s security is that it doesn’t have open source apps like Bitwarden or Proton Pass. However, 1Password still publicly publishes security audits, and it even offers free 1Password accounts to open source developers.
1Password via Jacob Roach
Over the years, one of the features I’ve grown to appreciate most in 1Password is Watchtower. Proton Pass and several other competitors have similar features, but Watchtower is one of the most comprehensive in what it covers. You get an overall security score for items in your vault, as well as suggestions for different logins.
1Password will show where passkeys are available, where 2FA is available but not enabled, compromised passwords, weak and reused passwords, and even entries expiring soon, like credit cards. It even segments all your entries into different strength categories, allowing you to quickly see, for example, how many passwords you have that are “good” but not “excellent.”
Then there’s Travel Mode. To my knowledge, no other password manager offers a feature like this (if there are others, drop a comment below). Basically, it lets you mark vaults as safe for travel or not. When you toggle on Travel Mode, the vaults that aren’t safe are removed from all your devices, as if they never existed.
Those vaults are actually removed from your device, too, which is an important note to highlight in an era of rising device searches at the US border. There’s no way to turn off Travel Mode from your phone. You can only toggle it through a browser that’s been authenticated with your account password and secret key.
1Password via Jacob Roach
Finally, 1Password offers masked emails and virtual credit cards, but it doesn’t offer them directly. Instead, it supports integrations with FastMail and Privacy.com, both of which offer additional subscriptions. I’m happy that 1Password is using well-known and popular tools for these services, but it doesn’t get around the fact that access to these two features will significantly bloat your monthly cost.
That’s one of 1Password’s weaknesses. It’s just a password manager. Proton and Nord offer extensive security suites that go beyond password management, and bundling them together will save you some money.
Cloud Only
It’s been close to a decade now, but 1Password used to allow you to host your own vaults. That changed in 2017, and since then, you haven’t been able to. The vast majority of commercial password managers work in this way, but there are still reasons you may want to host at least some logins locally.
But it’s not possible with 1Password. All of your vaults are stored in the cloud. Our top password manager recommendation, Bitwarden, offers a self-hosting option, and a lot of open source password managers like KeePassXC force you to figure out your own hosting solution. 1Password doesn’t need to be fully self-hosted, but it would be nice to have the option of storing some vaults locally, especially considering how much data you can store in your vault beyond passwords.
Barring these issues, 1Password still sets the gold standard for password managers when it comes to security. It has been consistently transparent about its security architecture, and it goes above and beyond most other password managers to keep your logins secure. It’s also cheap and dead-simple to use.
