1Password has never been hacked. If it was, your passwords and sensitive information would still be safe. Find out why.
We think about security a lot. You may even say we’re obsessed. We do everything we can to make sure every piece of data stored on our systems is safe from criminals. And, while we don’t ever want to be hacked, we've made sure you'll remain safe even if we were.
As a result, every single decision at 1Password starts with evaluating the safety and privacy of your data. We know how important your data is to you, and it’s on us to make sure it is locked up tight, away from prying eyes. It takes a combination of policy, innovative thinking, and a deep respect for your right to privacy.
You put a lot of trust in us by storing your confidential logins, bank information, secure notes, and more. So asking a question like, “What happens if 1Password gets hacked?” is completely reasonable. We want you to ask questions like this so we can make sure you understand just how secure your data is. We want you to feel safe every time you use 1Password.
Here’s why your information is safe with 1Password and why you don’t need to worry that your passwords will be exposed or released.
Nothing “crackable” is stored
Your Master Password and your Secret Key are the real stars of the show when it comes to security at 1Password. These two elements are designed to work alongside our security practices to keep your data safe. The strong Master Password that you create is what locks your information up tight. To keep that info secure, only you know your Master Password, and it's never stored anywhere in our system or on our servers.
The same goes for your Secret Key. When you create an account, 1Password will generate a private, 128-bit Secret Key that is used to encrypt your data. Like your Master Password, your Secret Key never leaves your devices and isn’t stored anywhere on our servers for hackers to potentially gain access. However, unlike your Master Password your Secret Key doesn’t ever have to be memorized. It’s generated on your own device and stored locally. It works in tandem with your Master Password to give your account a strong line of defense against cybercriminals.
You can feel confident in the knowledge that our Two-Secret Key Derivation mixes your locally held Secret Key with your Master Password, so the data we store on our servers can’t be used in cracking attempts. In order for an attacker who potentially captured any server data to have a hope of cracking your information, they would need to take two steps. Not only would they need to chip away and make guesses at your Master Password, but they would also need to have access to the random combination of the 34 letters and numbers which make up your Secret Key.
We provide you with end-to-end encryption
1Password works wherever you are, with apps for every operating system and device. This gives you access to your passwords whether you're at home or on the go. 1Password uses end-to-end encryption no matter which device you use, which means your data is always secure.
Every time you use 1Password, your data is protected with multiple layers of encryption before a single byte even leaves your device. Both your Master Password and Secret Key play a part in protecting your account by combining together to create the encryption keys that keep your data secure. This is why it's important to pick a strong yet memorable Master Password.
When your encrypted data travels through cyberspace between your device and our servers, it is encrypted and authenticated by Transport Layer Security (TLS) and our own transport encryption. Learn more about how 1Password protects your data when you use a sync service.
Using Secure Remote Password (SRP)
One of the largest flaws in a traditional password entry system is in the sign-in process. What typically happens is that when you go to sign in, the system will send your password to a their servers. Transmitting your password in this way leaves it vulnerable to interception. 1Password recognizes that fact and takes steps to counter it by using the SRP protocol. This protocol actually authenticates your login details without ever sending your Master Password over the Internet, leaving it unable to be stolen while it’s in transit. Learn more about how the SRP protocol works.
We use WebCrypto
You already know your Master Password and Secret Key are what keep your data safe, and we go to great lengths to prevent someone from ever accessing them. But did you know that 1Password is the first and only password manager to use WebCrypto? This is the next-generation standard from the W3C when it comes to security and safety. WebCrypto provides us with direct access to the system’s secure random number generator — there are no redirects, shared information, or unsafe connections. This makes it the first truly secure cryptography possible in a browser, and we take full advantage of that! Learn more about how we use WebCrypto.
Has 1Password ever been hacked?
This is a fair question to ask. If you’re putting your trust in us, you want to know that it's deserved. We’re being completely honest when we say that no, 1Password has never been hacked. As mentioned at the beginning of the post, we take security very seriously and our goal is to ensure that your data stays locked up and secure and isn’t at risk of falling into the wrong hands.
However, we know that bad people like to do bad things, and that includes attempting to hack into servers where they don’t belong. You can rest assured that even in the worst-case scenario of a breach, your data is locked down tight.