1Password policies guide: What they do and how to set them up

Don’t worry if you haven’t rolled out any policies yet. Out of the box, 1Password improves your organization’s security by helping everyone use strong passwords and securely share company secrets.

But 1Password Enterprise Password Manager becomes an even more powerful part of your security stack once you roll out some policies. In this guide, you’ll learn how policies work in 1Password, why they’re essential, and which ones you should consider implementing first.

What are policies in 1Password?

Policies in 1Password allow you to refine how our enterprise password manager works in your organization. They’re technical controls that let you increase the level of protection around company assets, reinforce your organization’s broader security guidelines, and ensure you’re meeting all of your compliance requirements. Broadly speaking, policies allow you to enforce certain baselines regarding how employees use 1Password Enterprise Password Manager.

Why should I implement policies?

Every organization is different, with its own unique culture, infrastructure, workflows, and devices. Businesses also have different threats to consider, and varying tolerances for those risks. For instance, a company with an office has to consider the possibility of a criminal pickpocketing an employee’s keycard, whereas a fully remote organization doesn’t have to worry about this.

These variables are why we allow you to customize 1Password to your liking. Policies let you set up 1Password to match your organization’s requirements and make the secure choice the easy choice for your employees.

Here’s an example: You might already know that passkeys are a simpler and more secure alternative to passwords. (We’re big fans of them here at 1Password.) Our passkey policy lets you control when employees can use this type of credential, ensuring a smooth, stress-free transition to passwordless sign-ins across your organization.

What policies should I implement first?

While there’s no “right” order for rolling out policies, here are three we recommend implementing first:

1. Account password policy

The 1Password account password is part of our traditional security model. If your organization doesn’t use Unlock with SSO, every team member will use an account password to securely access 1Password. It’s combined with their corresponding Secret Key to protect the information stored in their vaults. (If your team does use Unlock with SSO, authentication works differently.)

You can implement a policy that enforces stronger account passwords, increasing the protection around every employee account. 1Password provides three policy options: minimum (10+ characters), medium (12+ characters), and strict requirements (14+ characters).

You can also create your own policy with a minimum password length and custom complexity requirements.

Creative: In-line looping video here

2. Auto-lock

As the name suggests, the auto-lock policy ensures the 1Password app and browser extension lock after a set period of inactivity. It’s a robust failsafe if an employee loses their device or leaves it unattended in a public place.

But there’s a balance to be struck with this feature. You don’t want the auto-lock period to be so short that employees become frustrated, but it also shouldn’t be so long that it becomes a security concern.

With this policy, you can choose a time that makes the most sense for you and your business and doesn’t impact security or productivity.

Creative: In-line looping video here

3. Item sharing

1Password can store many types of secrets, from passwords to software license keys. The item-sharing policy gives you control over how your team can share this confidential information.

For example, you can limit item sharing outside your organization to people with an approved email domain. It’s a valuable way of ensuring team members can share necessary data with trusted partners, like external PR agencies and consulting firms, but not anyone else.

You can also limit the expiration time of each sharing link and decide whether team members can share documents and other important files.

Creative: In-line looping video here

Get started with admin policies

Follow these steps once you’re ready to enable your first policy:

1. Sign in to your 1Password Business account on 1Password.com
2. Select Policies in the sidebar
3. Choose Manage under the relevant policy category
4. Scroll down and turn on your chosen policy
5. Select Save

Coming soon: New policies!

New policies are headed to the admin dashboard, giving you new ways to customize 1Password and support your team members.

But we’re being selective. We don’t want to fall into the trap of adding new policies without a second thought, which would result in an overwhelming list of options that provide little value. Instead, our team is focused on quality over quantity, so you can quickly browse and enable policies that will make a real difference in your organization.

Start using policies

Policies in 1Password make it easier for you to enforce your company’s security requirements. Employees, meanwhile, get some helpful guardrails that make it easier for them to follow your guidance and industry best practices. It’s a win-win.

You now know everything required to review and implement your first policies. When you’re ready, go ahead and start exploring the policies section in the 1Password admin dashboard! Just be sure to tell your team members how your new policies work, why they’re being rolled out, and when they will come into effect.

If you have questions, check out 1Password Support or start a discussion in 1Password Community!

Nick Summers

Content Marketing Manager