1Password Review – Safe & Secure, But Worth the Price?

1Password is a capable password manager that has been protecting users around the world for more than a dozen years. It has some exceptional features, like extra-strong encryption and Travel Mode, along with a few drawbacks, like no free version.

Will 1Password be the password manager you rely on in the future?

Let’s begin this 1Password review with a quick look at the pros and cons:

1Password feature summary

Here’s a quick summary of the full set of 1Password features:

• Supported platforms include Windows, macOS, Linux, Android, iOS, web, and major browsers
• Secure Password Generation and Sharing
• Secure Notes
• Form and Payment Autofill
• 2FA Support
• Travel Mode
• Password Import/Export
• Data is encrypted on your device
• Data encrypted in transit and at rest with AES-256, PBKDF2, SRP
• 1GB encrypted file storage
• Synchronizes across all your devices and browsers
• Supports alternate sync strategies
• Reports & Analysis
• Security Alerts
• Breach and Compromise Monitoring

Company Information

1Password is published by AgileBits, a company based in Ontario, Canada. It launched in 2006 as a Macintosh-only program. Over the years, AgileBits has updated the program to run on all the major operating systems, browsers, and mobile devices.

Unfortunately for us, Canada, like the United States, is a member of the Five Eyes Alliance (FVEY). Countries in this international intelligence gathering alliance are not known to have the strongest privacy laws. There have also been reports that they work together to spy on each other’s citizens, thereby contravening even those protections that do exist within a given country.

Many privacy advocates advise against using services that are based in any of the FVEY countries.

1Password Terms of Service

I reviewed the 1Password Terms of Service (TOS), dated April 23, 2019 (the most current as of the date of this review).

I did not see any problems or concerning issues with the TOS.

1Password Privacy Policy

I also reviewed the 1Password Privacy Policy, dated July 3, 2019. I liked how clearly it was written and what they had to say. They need to comply with Canadian privacy laws and with the GDPR for users who live in the European Union, which could make things complicated. But AgileBits has designed 1Password to function with very little data from you, making it easier for them to comply while protecting your privacy.

They divide the data they collect into Service Data, Secure Data, and optional Diagnostic Data.

Service Data

Service data is the kind of data AgileBits needs to make 1Password function. It is kept confidential, and normally only visible to the AgileBits staff. Service Data includes (but is not limited to):

• Server Logs
• Billing Information
• Client IP Addresses
• The Number of vaults You Have
• The Number of Items in Vaults
• Company or Family Name
• Email Addresses
• Your Profile Name
• Any Image You Upload as Part of Your Profile (Optional)

Note: If you are concerned about 1Password logging your IP address, simply use a good VPN service. This will conceal your real IP address and location.

Secure Data

Secure Data is the data you store in 1Password: passwords, notes, and so on. This data is encrypted/decrypted on your device. 1Password never sees your Master Password, which means they have no way to decrypt your data. Furthermore, your data is encrypted using a version of the AES-256 encryption algorithm (AES-GCM-256).

In addition, 1Password employs Password-Based Key Derivation Function 2 (PBKDF2), which makes it much harder for someone to discover your password through a brute force attack. In other words, the chances of an attacker cracking the encryption on your data are virtually zero.

Depending on where you create your account, your Secure Data can be stored in one of three regions: the United States, Canada, the European Union. This is determined by the 1Password domain you use, as shown here:

Whichever region your data lands in, remember that your Secure Data is strongly encrypted. Even if 1Password hands your Secure Data over to a government or intelligence agency, there is virtually no chance they could decrypt it (assuming the service is securely implemented with no back doors).

Diagnostic Data

As the name suggests, 1Password support may sometimes request this optional data to diagnose problems. The important thing here is that it never includes Secure Data, and they will never request your Master Password or Secret Key.

1Password security audits

1Password includes the results of five third-party audits on their Security Audits page. The audits were conducted between 2015 and the present day. The most recent testing included:

• An SOC2 Type 2 Audit conducted by an independent auditing firm. SOC (Service Organization Control) auditing is an independent process to ensure that a product securely manages data to protect customers’ interests and privacy. This type of audit primarily assesses how secure the product is against internal threats. LastPass likewise publishes the results of their SOC audit, although theirs was SOC3, presumably a bit tougher than SOC2 Type 2.
• Penetration testing conducted by AppSec Consulting. This is the kind of audit that tests how secure a product is against external threats. In part, the results of this audit were that, “The security controls observed in the 1Password application were found to be substantial and unusually impressive.” Bitwarden is another password manager that has completed penetration testing and published the results.
• An ongoing, private bug bounty program conducted by Bugcrowd, Inc. This testing surfaced nine high-priority problems. According to Bugcrowd, all the high-priority problems discovered by this process were resolved by September 30, 2019. (Some VPNs are also rolling out bug bounty programs, such as with NordVPN.)

While it would be nice to have full versions of each of these audits instead of just quotes and executive summaries, AgileBits deserves kudos for the number and variety of third-party audits they have conducted.

1Password apps

While 1Password started out as a Macintosh-only product, it now covers all the major operating systems and browsers.

For MacOS systems running High Sierra 10.13 or later, they provide:

• 1Password for Mac, a stand-alone MacOS app
• 1Password browser extensions for Safari, Chrome, Firefox, and Opera. You must have 1Password for Mac installed to use these extensions.
• 1Password X which provides a fuller experience and works in Chrome, Firefox, Brave, and Opera
• 1Password mini, which can fill in your data on Mac apps

For Windows 7 or later systems, they provide:

• 1Password for Windows, a stand-alone Windows app
• 1Password browser extensions for Chrome, Firefox, Microsoft Edge, Brave, and Opera
  You must have 1Password for Windows installed to use these extensions.
• 1Password X which provides a fuller experience and works in Chrome, Firefox, Brave, and Opera.
• 1Password mini, which can fill in your data on Windows apps

Linux and Chrome OS users can use 1Password X with Chrome or Firefox. Or you can use the 1Password Command-Line tool.

When it comes to smartphones, you can get 1Password for iOS (version 12 or later) and Android (version 5.0 Lollipop or later).

1Password hands-on testing

I installed 1Password for Windows on my test machine and added 1Password X to Chrome for this review. (Note: Chrome is not a secure browser that respects your privacy, but it remains very popular, which is why I used it for this 1Password review.)

Installing 1Password

You can install 1Password for Windows by creating an account on their website. You’ll need to give them a valid email address, and they will ask you for a credit card number (which you don’t need to give them right now). This will put you into your free 30-day trial.

As part of the installation process, 1Password will create your Secret Key and Emergency Kit.

AgileBits says the key is generated on your device and that they never see it. You need to enter the Secret Key whenever you sign in from a new device. Using this Secret Key in addition to your password adds an additional layer of protection to your account.

Because AgileBits doesn’t generate or know the Secret Key, you need to know it and protect it yourself. To make that easier, 1Password can create an Emergency Kit, which contains all the information you need to get into the account.

Be sure to download the kit, and store the file in a safe place. You might even want to go so far as to print it and stash a copy in your strongbox or other secure physical location.

Once you get setup, you can download the various apps from the site, and get the browser extensions or 1Password X from the relevant app store.

1Password for Windows looks like this:

Adding passwords and other data to 1Password

Once you have your account set up and the 1Password apps and extensions you want installed, you’re going to need to get your passwords and other data into 1Password. 1Password may be able to do the job for you automatically. It all depends on where your data is now and whether or not you are using 1Password for Mac.

Importing passwords and data

This is one place where 1Password lags behind most of the competition. They have a limited set of browsers and password managers they can import from directly. That said, you may still be able to import from other sources, but it will not be as easy.

So where can we import directly from?

1Password.com and 1Password for Mac know how to import data from:

• Chrome
• Dashlane
• LastPass
• SplashID
• Roboform

1Password.com can only import the login credentials from these locations. It can’t pull in your Credit Cards, Software Licenses, or Secure Notes. Only 1Password for Mac can import that data.

If the source of your data isn’t listed here, you can try importing it using CSV files. In this case, I suggest you visit this 1Password Support page and read up on what you will need to do to get your data transferred.

If you have a lot of data to import into your next password manager, and you aren’t using a Mac, or your data is not stored in one of the 5 or so places 1Password can import from, I suggest you think carefully about whether 1Password’s import capabilities meet your needs.

Manually entering passwords and data

If you want to (or have to) enter some passwords manually, you’ll be doing it through the Desktop app as well.

Note: I’ll demonstrate the process with Login credentials, but it is basically the same process for anything you store in 1Password. The following image shows the list of data types you can store in 1Password:

Select the type of data you want to add and you’ll see a form on the right side of the 1Password window where you can enter your data.

Letting 1Password capture a password itself

This is another place where 1Password does things slightly differently. Most password managers wait for you to log into a site, then ask you if you want them to store the login credentials you used.

1Password doesn’t wait for you to log in successfully. Instead, as you can see in the following image, it offers to save your login credentials as you enter them:

When it comes to effectively saving your login credentials, no password manager is 100% perfect. Like any other password manager, 1Password sometimes won’t be able to capture the data. For cases like this, you’ll just have to manually enter your credentials.

Working with your passwords

Let’s open up 1Password X now. Its icon is in the top right of the Chrome browser window. It looks something like this:

To work with a password (or other data) in 1Password X, you begin typing the name of the item you want into the Search box at the top of the window. If you would rather see a list of all the passwords you have stored here, you’ll want to do that with the Desktop app. I find this kind of clumsy, although I’m sure it wouldn’t take long to get used to it.

One nice feature of 1Password is the Watchtower. This is the company’s name for their system of checking your passwords and warning you of any problems with them. To see it, log in to 1Password.com, select a vault, then select Watchtower in the menu on the left side of the window. 1Password generates a Watchtower report, which will look something like this:

It shows you which passwords have problems, and tells you how to fix the problem. Unlike some of its competitors, 1Password won’t change your problem passwords for you (see Dashlane). However, it quickly identifies problem passwords, which you can fix with the password generator.

The password generator feature of 1Password

1Password has a perfectly usable password generator. While it lacks some of the customization options that other products have, I like its ability to generate PIN numbers (numerals only) as well as easy to speak, type, and remember passwords like: blatant-quay-pandemic-hopper.

To get to the password generator, you can click the icon in the Password section of a particular site. In 1Password X, you can click the plus sign in a circle icon, then the Password Generator icon. The Password Generator looks like this:

Editing your data

Current versions of 1Password follow the common approach of other password managers. It stores an encrypted copy of your data on each device as well as keeping a copy in the cloud (on 1Password’s servers).

But what happens if one of your instances of 1Password loses its connection to the Internet? And what happens if some of your data changes while that instance if offline?

It is possible for a password manager to get confused in this case, resulting in duplicate items, for example. To prevent this, some password managers stop you from changing the data on your device when it can’t talk to the central servers.

I tested this on 1Password. I was able to make changes to the data in the disconnected device. When I reconnected the device to the Internet, 1Password picked up on the change. It correctly propagated the changes to the rest of my devices. So I did a few more tests. I:

• Made changes to the connected device that got propagated to the disconnected device once it was online again.
• Made changes to the connected device first, then to the disconnected device.
• Made changes to the disconnected device first, then to the connected device.

In each case, 1Password got everything synchronized properly once the disconnected device was back online. This was an impressive performance and the AgileBits team deserves recognition for a job well done.

1Password in action

Once you are done with all the preliminaries, you are ready to put 1Password to work. Whenever you visit a web page that 1Password has data for, it will display the 1Password icon in any of the date fields it “knows.” Click the icon to fill all the relevant fields.

If you have more than one password for this page (for example with multiple email accounts) 1Password will display a list of available credentials. Select one of the options and 1Password will fill in the appropriate fields.

Additional 1Password features

We’ve touched on 1Password’s basic features. Now let’s talk about some of the additional features that might be important to you.

Travel Mode (all plans)

Travel mode is a strong feature of 1Password. You can tell 1Password which of your vaults is safe for travel. Once you activate Travel Mode, all vaults that are not safe for travel get deleted from your device. This ensures that if your devices are inspected while you travel, that inspection will only find the data that you designated as safe.

For the complete rundown on Travel Mode, visit this 1Password support page.

Sharing passwords (Family, Team, and Business plans)

These 1Password Plans allow you to share passwords with other users. The number of users you can share with depends on which plan you have. All the multi-person plans can share.

User Management (Family, Team, and Business plans)

All multi-user plans allow you to view and manage the users who are part of your plan.

Secure file storage: 1 GB+ (all plans)

Personal, Family, and Team plans all feature 1 GB of secure file storage per user. The Business plans include at least 5 GB of secure file storage per user.

365 day item history

1Password keeps a history of all changes (even emptying the trash) you make to your account for 365 days. This makes it possible to view and restore previous versions of items.

Advanced sync options

If you don’t want to use the 1Password sync solution, there are some advanced options you can use to keep your devices synced. Solutions include using iCloud, Dropbox, a WLAN Server, or a Local Folder. Each of these options has its own quirks and requirements, so if you are interested, you can find out more here.

1Password Support

Providing quality support is expensive. Perhaps that’s the tradeoff with 1Password. You don’t get a free version of the product. Instead you get a paid version with quality support. Trustpilot is full of 1Password reviews that praise the support AgileBits provides for their product.

You can contact 1Password Support by email, Twitter, or through their community forums. There is no telephone support, but you should be able to get help through these channels quickly.

Aside from the tens of thousands of topics (with hundreds of thousands of replies) in the forums, the 1Password Support page has many articles covering numerous topics. Put it all together, and 1Password Customer Support is definitely a strong point of the product/service.

How secure and private is 1Password? 

1Password has a lot of positives. But is your data secure and private if you use 1Password?

1Password security

1Password goes above and beyond when it comes to security. As with other top password managers, your data is encrypted using the AES-256 algorithm, with keys generated from your Master Password. But 1Password includes your 128-bit Secret Key with the Master Password in the encryption, adding a lot of entropy to the process (making it much harder to crack by brute force).

What all this means in plain English is that your data is about as secure as can be when you store it in 1Password.

Note: If you are interested in the encryption and security details, check out the 1Password Security Model page.

1Password privacy

As usual, privacy is more of an issue. 1Password does collect some personal data, and they may have to share it with third parties and governments. As we covered above, this is all explained in the Privacy Policy.

Since 1Password isn’t Open Source software, unlike with Bitwarden, we have to take their word for it as to what data they collect and what they do with it. But as of today, I’ve seen no reason to doubt them on this.

Lastly, remember that all data stored in 1Password is heavily encrypted, above and beyond the norm. AgileBits states that they never see your Master Password, nor your Secret Key. This means that they have no way to decode your data. This ensures the privacy of your data, even if some government agency forces AgileBits to hand over your (encrypted) data files.

1Password prices

1Password is a feature-rich, quality product. So the question is, how much will it cost you if you want to make this your password manager? Let’s see…

Single user and Family plans

The 1Password single user plan would cost you $2.99 per month, billed annually. That works out to $35.88 per year, after your 30-day trial.

The 1Password Family plan supports up to five family members for only $4.99 per month, billed annually ($59.88). For this price you get everything in the single user version, plus password sharing, a management console for the family, the ability to recover locked family member accounts, and more.

Got a big family? You can invite additional members to join the plan for $1 per person per month.

Team and Business plans

If you want to use 1Password at work, you have three options: the Teams, Business, and Enterprise plans.

I won’t try to list all the features and benefits of these plans. Suffice it to say that they are full-featured.

The Teams plan will set your company back $3.99 per user per month, billed annually. In other words: $47.88.

The Business plan piles on the additional features and benefits (even including free Family accounts for your users), with a price of $7.99 per user per month. Billed annually, that comes to $95.88 per user.

For the Enterprise plan pricing, you’ll need to contact 1Password directly.

1Password alternatives

What if you don’t like 1Password for some reason? Fortunately, there are lots of good password managers out there. Two other fully-featured products to consider are LastPass or Dashlane. Both these alternatives are rich in features, and offer support for most usage scenarios covered by 1Password.

All three products are based in Five Eyes countries, but they all use strong encryption that should protect your stored data from third parties. None of them are Open Source products, so there is a degree of trust involved. Both LastPass and Dashlane have free plans, which at a minimum could make testing them easier than with 1Password.

LastPass is powerful and good looking, with lots of additional features. It is somewhat less expensive than 1Password, but doesn’t offer a VPN or the credit management tools of 1Password.

Dashlane gives you the most features of any password manager I’ve seen so far. Whether you need them all, or are willing to pay a premium price for them, is a different question. That said, Dashlane has a Business plan that is significantly less expensive than 1Password’s.

1Password review conclusion

1Password is a quality product that offers good value at a reasonable price They have an excellent security model, and praiseworthy customer Support. Their Travel Mode is a great idea that other password managers should consider implementing.

Is 1Password the best password manager for you or your organization? Maybe. 1Password benefits include:

• Works on all the major operating systems and most of the top browsers
• Has plans for everyone from the single user to entreprises
• Has extra strong encryption to keep your data secure
• Has a Support team and resources that get high marks from users
• Travel Mode lets you protect your private data from intrusive border inspections

On the other hand, 1Password drawbacks include:

• Doesn’t provide a free plan
• Has different formats (web, desktop, browser extension) with different capabilities, which can be confusing
• The user interface can be overly-complex in places
• No telephone support
• Is based in a Five Eyes (FVEY) country and your data may be stored in one too

You’ll need to weigh these benefits and drawbacks to make your decision. The best I can tell you is to make use of that 30-day free trial to see for yourself. You can start that process right here.

Additional guides:

Password Managers – Our main guide on this topic.

Privacy Tools – A big list of important privacy and security tools to keep your data safe.

How to Create Strong Passwords

And here is a full list of our other password manager reviews:

• Bitwarden Review
• LastPass Review
• KeePass Review
• NordPass Review
• Dashlane Review
• 1Password Review
• Best Password Managers