Jump to content

1Password: Difference between revisions

From Consumer Rights Wiki
← Older editNewer edit →
VisualWikitext
Raster (talk | contribs)
confirmed
143 edits
Formatted quotes, removed placeholder content, rewrote some parts removing extended parantheses (in hopes it's a more formal writing style), bunch of comments (that can be deleted once irrelevant) and added references.
Line 10: Line 10:
|Logo=1Password-logo.png|ReleaseYear=2006}}1Password is a multi-platform subscription-based password manager developed by AgileBits Inc. One of the unique elements of this password manager is the combination of a master password with a second secret key generated on-device (i.e., not in the cloud). Unlocking a user's vault therefore requires '''both''' pieces of information to decrypt and access. Conventional two factor authentication using either software tokens or hardware-based tokens (e.g., Yubikey, Google Titan) can be added to further secure a vault. 1Password is not open source and not self-hostable.
|Logo=1Password-logo.png|ReleaseYear=2006}}1Password is a multi-platform subscription-based password manager developed by AgileBits Inc. One of the unique elements of this password manager is the combination of a master password with a second secret key generated on-device (i.e., not in the cloud). Unlocking a user's vault therefore requires '''both''' pieces of information to decrypt and access. Conventional two factor authentication using either software tokens or hardware-based tokens (e.g., Yubikey, Google Titan) can be added to further secure a vault. 1Password is not open source and not self-hostable.


Beyond passwords, 1Password is capable of storing myriad site credentials including one-time codes, emails / user names, and additional notes. A user can also choose a preferred single sign-on service to login.
Beyond passwords, 1Password is capable of storing myriad site credentials including one-time codes, emails / user names, and additional notes.<ref>{{Cite web |title=Password Manager for Individuals & Families |url=https://1password.com/product/password-manager |access-date=2025-10-21 |website=1Password}}</ref> A user can also choose a preferred single sign-on service to login.{{CitationNeeded|reason=absent from current login page (Oct 2025)}}


==Consumer impact summary==
==Consumer impact summary==


===Freedom===
===Freedom===
Users can import existing passwords from other managers and export passwords and other content in formats suitable for importing into other managers. 1Password is not a walled-garden. Allowing the subscription to expire places an account in a read-only state, allowing the user to download their passwords and other saved content.
<blockquote>"You can export your 1Pasword information at any time. If you discontinue payment, your account will enter a frozen (read-only) state that still allows you to retrieve and export your information. Your export will be limited to the information you saved in 1Password. We can’t guarantee that vault permissions, group structures, and other details about relationships between people and information are included."<ref name="privacy">{{Cite web |date=2025-02-27 |title=About 1Password and your privacy |url=https://support.1password.com/1password-privacy/ |access-date=2025-09-05 |work=1Password Support}}</ref></blockquote>Users can import existing passwords from other managers and export passwords and other content in formats suitable for importing into other managers. 1Password is not a walled-garden. Allowing the subscription to expire places an account in a read-only state, where the user can still download their passwords and other saved content.
 
"You can export your 1Pasword information at any time. If you discontinue payment, your account will enter a frozen (read-only) state that still allows you to retrieve and export your information. Your export will be limited to the information you saved in 1Password. We can’t guarantee that vault permissions, group structures, and other details about relationships between people and information are included."<ref name="privacy">{{Cite web|url=https://support.1password.com/1password-privacy/|title=About 1Password and your privacy|access-date=2025-09-05|date=2025-02-27|work=1Password Support}}</ref>


===Privacy===
===Privacy===
Extracted directly from the privacy policy,
From "Your Rights" section of the privacy policy:<blockquote>"'''You have the right to your information.''' We'll never lock you out of your 1Password account, but we're unable to decrypt it for you."<ref name="privacy" /> </blockquote>This implies anything inside it is hidden from the company, which is great as it is a password manager.<blockquote>"'''You have the right to know what we know.''' You have the right to know what we know about you and see how we handle that information. If you make such a request, you'll receive a screenshot of what we can see about you in our systems. To protect customer privacy, these requests will be carefully authenticated beyond demonstrating control of the registered email address."<ref name="privacy" /></blockquote>Possibly, such a request will need to contain identifying information you have to provide in order to use the service such as email, name, address, and payment information.
 
"We'll never lock you out of your 1Password account, but we're unable to decrypt it for you."<ref name="privacy" /> (implies anything in it is hidden from the company, which, considering this is a password manager, is a very good thing)
 
"You have the right to know what we know. You have the right to know what we know about you and see how we handle that information. If you make such a request, you'll receive a screenshot of what we can see about you in our systems. To protect customer privacy, these requests will be carefully authenticated beyond demonstrating control of the registered email address." (expect to be any identifying information you have to provide in order to use the service such as email, name, address, payment information)


===User security===
===User security===
Users should be aware that using password manager browser extensions increases their vulnerability to clickjacking<ref>{{Cite web|url=https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/|title=Major password managers can leak logins in clickjacking attacks|work=Bleeping Computer|date=2025-08-20|first=Bill|last=Toulas|access-date=2025-09-05}}</ref> where the autofill feature of password managers is abused to trick the password manager into leaking user credentials and other sensitive details.<ref>{{Cite web|url=https://cybernews.com/security/password-managers-autofill-credentials-for-attackers/|title=Major flaw affecting password managers: they autofill credentials for attackers|first=Ernestas|last=Naprys|date=2025-08-21|work=Cybernews|access-date=2025-09-05}}</ref> It is always best practice to copy in these elements on trusted pages manually.
Users should be aware that using password manager browser extensions increases their vulnerability to clickjacking<ref name=":0">{{Cite web|url=https://www.bleepingcomputer.com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/|title=Major password managers can leak logins in clickjacking attacks|work=Bleeping Computer|date=2025-08-20|first=Bill|last=Toulas|access-date=2025-09-05}}</ref> where the autofill feature of password managers is abused to trick the password manager into leaking user credentials and other sensitive details.<ref name=":1">{{Cite web|url=https://cybernews.com/security/password-managers-autofill-credentials-for-attackers/|title=Major flaw affecting password managers: they autofill credentials for attackers|first=Ernestas|last=Naprys|date=2025-08-21|work=Cybernews|access-date=2025-09-05}}</ref> It is considered best practice to copy in these elements on trusted pages manually. <ref name=":0" /><ref name=":1" /><ref>{{Cite web |last=Tóth |first=Marek |date=2025-09-11 |title=DOM-based Extension Clickjacking: Your Password Manager Data at Risk |url=https://marektoth.com/blog/dom-based-extension-clickjacking/ |access-date=2025-10-21 |website=marektóth}}</ref>


===Business model===
===Business model===
Subscription based, has a strong emphasis on enterprise credential management, especially for secret management for software development (e.g., SSH keys, authentication tokens, API keys, etc.).
Subscription based, has a strong emphasis on enterprise credential management,<ref>{{Cite web |title=1Password Device Trust |url=https://1password.com/product/device-trust |access-date=2025-10-21 |website=1Password}}</ref><ref>{{Cite web |title=XAM: Extended Access Management |url=https://1password.com/extended-access-management |access-date=2025-10-21 |website=1Password}}</ref>  especially for secret management for software development (e.g., SSH keys, authentication tokens, API keys, etc.).{{CitationNeeded}} <!-- A skim through the product pages, I couldn't find this particular mention. It's probably somewhere, though and that the problem is I don't understand the technology to know where to look -->


===Market control===
===Market control===
{{Incomplete section}}
<!-- This still kinda sucks, but I did technically delete what I felt was placeholder text -Raster -->
1Password claims on its website that it is industry leading.  
1Password claims on its website front page that it is industry leading, although it does not cite any public market researches or 3rd party audits. However, a bug bounty program exists on HackerOne.<ref>{{Cite web |date=2024-12-09 |title=1Password - CTF {{!}} Bug Bounty Program Policy |url=https://hackerone.com/1password_ctf?type=team |access-date=2025-10-21 |website=HackerOne}}</ref> Market studies and reviews (as of October 2025) show that it has significant competitive control.<ref>{{Cite web |title=Password Management Market Size & Share Analysis - Growth Trends & Forecasts (2025 - 2030) |url=https://www.mordorintelligence.com/industry-reports/password-management-market |access-date=2025-10-21 |website=Mordor Intelligence}}</ref><ref>{{Cite web |last=Bouman |first=Amber |last2=Spadafora |first2=Anthony |date=2025-09-11 |title=The best password managers in 2025 |url=https://www.tomsguide.com/us/best-password-managers,review-3785.html |access-date=2025-10-21 |website=Tom's Guide}}</ref><ref>{{Cite web |last=Key |first=Kim |last2=Henry |first2=Alan |date=2025-10-14 |title=The Best Password Managers for 2025 |url=https://www.pcmag.com/picks/the-best-password-managers |access-date=2025-10-21 |website=PCMag}}</ref> <!-- These are by no means amazing sources, I just skimmed through with Ctrl + F to see what they said about 1Password. Generally it's like 5 star reviews with "it's okay" as the actual review -raster -->
 
Password managers are pretty much a dime a dozen these days, highly competitive.  


==Incidents==
==Incidents==
Line 42: Line 34:


===1Password Okta instance breach, discovered (''29 Sept 2023'')===
===1Password Okta instance breach, discovered (''29 Sept 2023'')===
1Password published a blog post disclosing an internal investigation of the breach.<ref>{{Cite web|url=https://blog.1password.com/okta-incident/|title=Okta Support System incident and 1Password|date=2023-10-23|first=Pedro|last=Canahuati|work=1Password Blog|access-date=2025-09-05}}</ref> It largely appears one of the attackers actions triggered an email to a member of the IT team who acted swiftly to contain the breach. The company reported user data was not exfiltrated or decrypted.
1Password published a blog post disclosing an internal investigation of the breach.<ref>{{Cite web|url=https://blog.1password.com/okta-incident/|title=Okta Support System incident and 1Password|date=2023-10-23|first=Pedro|last=Canahuati|work=1Password Blog|access-date=2025-09-05}}</ref> It largely appears one of the attackers actions triggered an email to a member of the IT team who acted swiftly to contain the breach. The company reported user data was not exfiltrated or decrypted.<ref>https://blog.1password.com/files/okta-incident/okta-incident-report.pdf</ref> <!-- An archived copy is available at https://consumerrights.wiki/images/1/12/Okta-incident-report.pdf by clicking the below picture, but I'm not sure it's the most intuitive way to access it for whoever CRW will be presented to as evidence as it requires clicking twice. Maybe I'm overthinking this... -raster  -->
<gallery>
<gallery>
File:Okta-incident-report.pdf|PDF document report
File:Okta-incident-report.pdf|PDF document report of the breach (click twice to open)
</gallery>
</gallery>


Line 52: Line 44:


[[Category:{{PAGENAME}}]]
[[Category:{{PAGENAME}}]]
[[Category:Password managers]]

Revision as of 15:17, 21 October 2025


1Password
File:1Password-logo.png
Basic Information
Release Year 2006
Product Type Software,Password Managers
In Production Yes
Official Website https://1password.com/

1Password is a multi-platform subscription-based password manager developed by AgileBits Inc. One of the unique elements of this password manager is the combination of a master password with a second secret key generated on-device (i.e., not in the cloud). Unlocking a user's vault therefore requires both pieces of information to decrypt and access. Conventional two factor authentication using either software tokens or hardware-based tokens (e.g., Yubikey, Google Titan) can be added to further secure a vault. 1Password is not open source and not self-hostable.

Beyond passwords, 1Password is capable of storing myriad site credentials including one-time codes, emails / user names, and additional notes.[1] A user can also choose a preferred single sign-on service to login.[citation needed - absent from current login page (Oct 2025)]

Consumer impact summary

Freedom

"You can export your 1Pasword information at any time. If you discontinue payment, your account will enter a frozen (read-only) state that still allows you to retrieve and export your information. Your export will be limited to the information you saved in 1Password. We can’t guarantee that vault permissions, group structures, and other details about relationships between people and information are included."[2]

Users can import existing passwords from other managers and export passwords and other content in formats suitable for importing into other managers. 1Password is not a walled-garden. Allowing the subscription to expire places an account in a read-only state, where the user can still download their passwords and other saved content.

Privacy

From "Your Rights" section of the privacy policy:

"You have the right to your information. We'll never lock you out of your 1Password account, but we're unable to decrypt it for you."[2]

This implies anything inside it is hidden from the company, which is great as it is a password manager.

"You have the right to know what we know. You have the right to know what we know about you and see how we handle that information. If you make such a request, you'll receive a screenshot of what we can see about you in our systems. To protect customer privacy, these requests will be carefully authenticated beyond demonstrating control of the registered email address."[2]

Possibly, such a request will need to contain identifying information you have to provide in order to use the service such as email, name, address, and payment information.

User security

Users should be aware that using password manager browser extensions increases their vulnerability to clickjacking[3] where the autofill feature of password managers is abused to trick the password manager into leaking user credentials and other sensitive details.[4] It is considered best practice to copy in these elements on trusted pages manually. [3][4][5]

Business model

Subscription based, has a strong emphasis on enterprise credential management,[6][7] especially for secret management for software development (e.g., SSH keys, authentication tokens, API keys, etc.).[citation needed]

Market control

1Password claims on its website front page that it is industry leading, although it does not cite any public market researches or 3rd party audits. However, a bug bounty program exists on HackerOne.[8] Market studies and reviews (as of October 2025) show that it has significant competitive control.[9][10][11]

Incidents

This is a list of all consumer protection incidents related to this product. Any incidents not mentioned here can be found in the 1Password category.

1Password Okta instance breach, discovered (29 Sept 2023)

1Password published a blog post disclosing an internal investigation of the breach.[12] It largely appears one of the attackers actions triggered an email to a member of the IT team who acted swiftly to contain the breach. The company reported user data was not exfiltrated or decrypted.[13]

See also

References

  1. "Password Manager for Individuals & Families". 1Password. Retrieved 2025-10-21.
  2. 2.0 2.1 2.2 "About 1Password and your privacy". 1Password Support. 2025-02-27. Retrieved 2025-09-05.
  3. 3.0 3.1 Toulas, Bill (2025-08-20). "Major password managers can leak logins in clickjacking attacks". Bleeping Computer. Retrieved 2025-09-05.
  4. 4.0 4.1 Naprys, Ernestas (2025-08-21). "Major flaw affecting password managers: they autofill credentials for attackers". Cybernews. Retrieved 2025-09-05.
  5. Tóth, Marek (2025-09-11). "DOM-based Extension Clickjacking: Your Password Manager Data at Risk". marektóth. Retrieved 2025-10-21.
  6. "1Password Device Trust". 1Password. Retrieved 2025-10-21.
  7. "XAM: Extended Access Management". 1Password. Retrieved 2025-10-21.
  8. "1Password - CTF | Bug Bounty Program Policy". HackerOne. 2024-12-09. Retrieved 2025-10-21.
  9. "Password Management Market Size & Share Analysis - Growth Trends & Forecasts (2025 - 2030)". Mordor Intelligence. Retrieved 2025-10-21.
  10. Bouman, Amber; Spadafora, Anthony (2025-09-11). "The best password managers in 2025". Tom's Guide. Retrieved 2025-10-21.
  11. Key, Kim; Henry, Alan (2025-10-14). "The Best Password Managers for 2025". PCMag. Retrieved 2025-10-21.
  12. Canahuati, Pedro (2023-10-23). "Okta Support System incident and 1Password". 1Password Blog. Retrieved 2025-09-05.
  13. https://blog.1password.com/files/okta-incident/okta-incident-report.pdf
Retrieved from "https://consumerrights.wiki/index.php?title=1Password&oldid=28076"