We’ve been protecting our customers' data for over fifteen years, and in all that time 1Password has never been hacked. But even if it was, we’ve designed our systems to make sure your passwords and information would still be safe. Here’s how it works.
You trust us with some of your most valuable data: confidential logins, bank information, secure notes, and more. So a question like, “What happens if 1Password gets hacked?” is completely reasonable. In fact, it’s a question we asked ourselves when we designed 1Password’s security model.
Here’s why your information is safe in 1Password, and why you don’t need to worry about your passwords being exposed if our servers were to be attacked.
There’s no single point of failure
Three things are needed to decrypt your information: the encrypted data itself, your account password, and your Secret Key. Only you know your account password, and your Secret Key is generated locally during setup. The two are combined on-device to encrypt your vault data and are never sent to 1Password.
Only the encrypted vault data lives on our servers, so neither 1Password nor an attacker who somehow manages to guess or steal your account password would be able to access your vaults – or what’s inside them.
We’ll never know your account password
Your account password is the only one you need to remember.
Make sure to use something long, unique, and memorable. If you need inspiration, you can use our password generator when you set up your account. Suggestions are drawn from a pool of 18,000 words, so a four-word suggested password is one of about 100 million billion possible combinations. Plus, suggested passwords are generated entirely on your device.
No matter how you create it, your account password is never visible to us.
Your Secret Key is yours alone
When you sign in to 1Password on a new device, you’ll also need your Secret Key. You don’t need to memorize this key, nor do you need to enter it every time you unlock a trusted device.
The Secret Key is an account-specific, 26 character, 128-bit strong encryption ingredient generated on your device when you first create your account. Only you possess it, and it’s stored solely on the devices you choose.
Secret Keys are impossible to guess; they’re generated from a range of 2^128 possibilities. Written the long way, that means 340,282,366,920,938,463,463,374,607,431,768,211,456 possible combinations. And, like your account password, your Secret Key is never sent to our servers.
End-to-end encryption keeps your information safe
When you sign in to 1Password, your information is further protected by a unique communication system that ensures neither your account password nor Secret Key are ever sent over the network.
In essence, all communication between your devices and 1Password’s servers is encrypted end-to-end, and the critical keys an attacker would need to decrypt your vault data on our servers are never sent over the network where they could be intercepted.
You don’t need to share secrets to confirm your identity
Since we never see your account password or Secret Key, we need some other way to confirm your identity to make sure your encrypted data is only accessible to you.
Industry-standard Transport Layer Security (TLS) provides a first line of defence, but we’ve bolstered it with a custom protocol known as Secure Remote Password (SRP) that handles communication between your devices and the 1Password servers. Unlike a traditional login, SRP ensures you never have to share sensitive information.
With Secure Remote Password, your account password and Secret Key are used to generate a new key – entirely separate from the one that encrypts your data. 1Password on your device sends the 1Password server a series of puzzles. Once solved, these prove to the server that you know your account password and Secret Key without having to share them. Likewise, the server has to prove to your device that it holds the data you’re asking for.
These puzzles are different every time the app connects to the server, so they can never be replicated by an outside observer.
1Password has never been hacked
It bears repeating: 1Password has never been hacked. But even if our infrastructure were to be breached in the future, you can rest assured your data wouldn’t be at risk.
Every decision we make at 1Password begins and ends with the safety and privacy of your information. We know how important your data is, and it’s on us to make sure it stays completely safe from prying eyes.