1Password has never been hacked. But if it was, your passwords and information would still be safe. Here’s why.
You trust us with some of your most valuable data: confidential logins, bank information, secure notes, and more. So a question like, “What happens if 1Password gets hacked?” is completely reasonable. We want you to ask questions like this. It gives us the chance to answer them with total transparency.
Here’s why your information is safe with 1Password and why you don’t need to worry that your passwords will ever be exposed.
No single point of failure
Three things are needed to decrypt your information: the encrypted data itself, your Master Password, and your Secret Key. Your Master Password and Secret Key are secrets that are never sent to us, so we can’t access your data. So if our systems were compromised, no one else could access your data either.
We’ll never know your Master Password
Only you know your Master Password, which makes it very extremely difficult to steal. We recommend you use the password generator because suggestions are drawn from a pool of 18,000 words. A four-word suggested password is one of about 100 million billion possible combinations. Suggested passwords are generated entirely on your device so your Master Password is never sent to us. Your Master Password is the only thing you need to remember.
Your Secret Key is yours alone
To access your data you’ll also need your Secret Key. This is an account-specific, 26 character, 128-bit strong key that is created on your device. Only you possess it, on the devices you choose. You don’t have to remember it yourself – your trusted devices do this for you.
Secret Keys are impossible to guess – they’re generated from a range of 2^128 possibilities. Written the long way, that means 340,282,366,920,938,463,463,374,607,431,768,211,456 possible combinations. And, like your Master Password, your Secret Key is never sent to our servers.
End-to-end encryption keeps your information safe
1Password uses encryption to make sure that only you can read your data. 1Password uses industry-standard 256-bit AES encryption, derived from your Master Password and Secret Key along with a random number generator. Encryption happens on your device before a single byte is sent.
Likewise, both your Master Password and Secret Key are needed to decrypt your data on your local device. This means your sensitive information is completely safe from others whether it’s in transit or stored on our servers.
You don’t need to share secrets to confirm your identity
As we never see your Master Password or Secret Key, we need some other way to confirm your identity so your encrypted data is only ever accessible to you. To do this, we use the Secure Remote Password protocol. Unlike a traditional login, this means you never have to share sensitive information.
With Secure Remote Password, your Master Password and Secret Key are used to generate a new key, entirely separate from the one that encrypts your data. 1Password on your device sends the 1Password server a series of puzzles. Once solved, these prove to the server that you know your Master Password and Secret Key without having to share them. (Likewise, the server has to prove to your device that it holds the data you’re asking for). These puzzles are different every time the app connects to the server so they can never be replicated by an outside observer.
1Password has never been hacked
It bears repeating: 1Password has never been hacked. But if the worst happened, you can rest assured it wouldn’t mean your data was compromised.
Every decision we make at 1Password begins and ends with the safety and privacy of your information. We know how important your data is to you, and it’s on us to make sure it’s completely safe from prying eyes. We deeply respect your right to privacy.