1Password
Secure password manager with Watchtower monitoring, Travel Mode, passkeys, and developer tools — for individuals, families, and teams.
- Price: Individual $2.99/month (annual) / Families $4.99/month (annual) / Teams $19.95/month (up to 10) / Business $7.99/user/month
- Platforms: Browser extensions (Chrome, Firefox, Safari, Edge, Brave), Windows, macOS, Linux, iOS, Android, CLI
In This Guide
Who Is 1Password For?
1Password is a password manager built by AgileBits that stores, generates, and autofills passwords, passkeys, credit cards, secure notes, software licences, and other sensitive data. It launched in 2006 as a Mac-only utility and has grown into a cross-platform security tool used by over 150,000 businesses and millions of individuals worldwide.
At its core, 1Password solves a simple but critical problem: most people reuse weak passwords across dozens of accounts. A single breach exposes everything. 1Password eliminates this risk by generating unique, strong passwords for every site and storing them behind one master password plus a Secret Key that never leaves your devices.
1Password is ideal for several audiences. Individuals who want to stop reusing passwords and secure their digital lives with minimal effort. Families who need shared vaults for household accounts (Netflix, utilities, Wi-Fi passwords) while keeping personal vaults private. Developers who manage SSH keys, API tokens, environment variables, and server credentials. Teams and businesses that need to share credentials securely, enforce security policies, and maintain audit logs.
What sets 1Password apart from free alternatives like browser-based password managers is the depth of its security model, the quality of its apps, and the features designed for real-world scenarios — like Travel Mode for crossing borders, Watchtower for breach alerts, and granular vault sharing for teams. It's not the cheapest option, but it's the most complete.
Key Features
1Password packs a wide range of features beyond basic password storage. Here are the ones that matter most in daily use.
- Watchtower — a built-in security dashboard that monitors all your saved credentials against known data breaches (via Have I Been Pwned integration), flags weak or reused passwords, identifies sites where you haven't enabled two-factor authentication, and alerts you to expiring credit cards or soon-to-expire passwords. Watchtower gives you a single security score and actionable steps to improve it. It runs automatically and updates as new breaches are disclosed.
- Travel Mode — lets you mark specific vaults as "safe for travel." When you enable Travel Mode, 1Password removes all non-safe vaults from your devices. If your phone or laptop is inspected at a border crossing, only the vaults you've approved are visible. Disable Travel Mode when you arrive, and everything is restored. No other password manager offers this — it's uniquely valuable for business travellers and journalists.
- Vault organisation — passwords and items are organised into vaults, which function like folders with access controls. You might have a Personal vault, a Work vault, a Shared Family vault, and a Development vault. Each vault can be shared with specific people and given different permissions (view only, edit, manage). This granularity is essential for teams and families.
- Passkey support — 1Password fully supports passkeys, the FIDO2-based passwordless authentication standard adopted by Apple, Google, and Microsoft. You can create, store, and use passkeys directly from 1Password's browser extension. As more sites adopt passkeys, this positions 1Password as a central identity manager, not just a password manager.
- Family sharing — the Families plan supports up to 5 members, each with their own private vaults plus unlimited shared vaults. Parents can manage recovery for children's accounts. Sharing a Netflix password or Wi-Fi credentials is as simple as moving an item to a shared vault. Family members never see each other's private passwords.
- Browser extension — the 1Password browser extension (available for Chrome, Firefox, Safari, Edge, and Brave) handles autofill, password generation, and passkey authentication. It detects login forms automatically, suggests saved credentials, and offers to save new ones. The extension integrates with the desktop app for biometric unlock — Touch ID on Mac, Windows Hello on PC — so you rarely need to type your master password.
- Secure sharing (Psst!) — need to share a password with someone who doesn't use 1Password? The Psst! feature generates a secure, expiring link that the recipient can open in any browser. You control how long the link remains active and can revoke it at any time. No more sending passwords over Slack or email in plaintext.
- Item types — beyond passwords, 1Password stores credit cards, bank accounts, identity documents, secure notes, software licences, Wi-Fi passwords, medical records, SSH keys, API credentials, and custom fields. Each item type has a purpose-built template that structures the data sensibly.
Security Architecture
1Password's security model is built around two fundamental principles: zero knowledge and dual-key encryption.
- Secret Key architecture — when you create a 1Password account, it generates a 128-bit Secret Key that is combined with your master password to derive your encryption key. This means that even if AgileBits' servers were completely compromised, attackers could not decrypt your data without your Secret Key, which is stored only on your devices and in your Emergency Kit — never on 1Password's servers. This is a significant security advantage over password managers that rely solely on a master password.
- AES-256 encryption — all vault data is encrypted with AES-256-GCM, the same standard used by governments and military organisations. Encryption and decryption happen locally on your device. 1Password's servers only ever see encrypted blobs.
- Zero-knowledge architecture — AgileBits cannot access, read, or reset your data. If you lose both your master password and your Secret Key, your data is unrecoverable. This is a deliberate trade-off — it means no one at 1Password can be compelled to hand over your passwords, even under a court order, because they physically cannot decrypt them.
- SRP authentication — 1Password uses Secure Remote Password (SRP) protocol for authentication, which means your master password is never sent to the server — not even in hashed form. The server verifies you know the password without ever learning it.
- Regular security audits — AgileBits commissions independent security audits from firms like Cure53, ISE, and others. Audit reports are published publicly. They also run a bug bounty programme through Bugcrowd, paying researchers to find and report vulnerabilities.
In practical terms, this means 1Password has never had a breach that exposed user vault data. The Okta-related incident in late 2023 affected 1Password's internal Okta tenant but did not compromise any customer data or vaults. The company's transparent response to that incident actually increased confidence in their security posture.
Developer Tools & CLI
1Password has invested heavily in developer features, making it a legitimate tool for managing secrets in development workflows — not just browser passwords.
- 1Password CLI (op) — a command-line tool that lets you read and write vault items from the terminal. Use it in shell scripts, CI/CD pipelines, Dockerfiles, and automation workflows. Instead of hardcoding API keys in environment variables or .env files, reference them from 1Password:
op read "op://Development/AWS/access-key". - SSH agent — 1Password can act as your SSH agent, storing SSH keys in your vault and providing them to Git, SCP, and SSH commands on demand. Keys are protected by biometric unlock. No more unencrypted private keys sitting in
~/.ssh/. - Git commit signing — sign Git commits with SSH keys stored in 1Password. Proves authorship of your commits without managing GPG keys separately.
- Secret references — in configuration files, replace hardcoded secrets with 1Password references. The CLI resolves these at runtime. This keeps secrets out of version control and makes rotation straightforward — update the secret in 1Password, and every reference picks up the new value automatically.
- Shell plugins — 1Password provides plugins for popular CLI tools (AWS CLI, GitHub CLI, Stripe CLI, and others) that automatically supply credentials from your vault when you run commands. No more
export AWS_ACCESS_KEY_ID=...in your shell profile. - Connect Server — for teams, 1Password Connect is a self-hosted REST API that provides vault access to your infrastructure. Use it in Kubernetes, Terraform, Ansible, and other deployment tools to inject secrets at deploy time without storing them in config files or environment variables.
These developer features transform 1Password from a personal convenience tool into a legitimate secrets management platform. For small teams that don't want to set up HashiCorp Vault or AWS Secrets Manager, 1Password fills the gap effectively.
Pricing & Plans
| Feature | Individual ($2.99/mo) | Families ($4.99/mo) | Teams ($19.95/mo) | Business ($7.99/user/mo) |
|---|---|---|---|---|
| Users | 1 | Up to 5 | Up to 10 | Unlimited |
| Vaults | Unlimited | Unlimited + shared | Unlimited + shared | Unlimited + shared |
| Watchtower | Yes | Yes | Yes | Yes |
| Travel Mode | Yes | Yes | Yes | Yes |
| Passkey support | Yes | Yes | Yes | Yes |
| Guest accounts | No | No | No | Up to 20 |
| Admin controls | No | Recovery only | Basic | Advanced |
| Activity logs | No | No | Basic | Detailed audit logs |
| Custom groups | No | No | No | Yes |
| SSO integration | No | No | No | Yes (Okta, Azure AD, etc.) |
| 1Password Developer | Yes | Yes | Yes | Yes |
| Free trial | 14 days | 14 days | 14 days | 14 days |
The Individual plan at $2.99/month (billed annually at $35.88/year) covers everything a single user needs: unlimited passwords and items, all device types, Watchtower, Travel Mode, passkeys, and 1GB of document storage. This is competitive with Bitwarden Premium ($10/year) but significantly more polished in terms of UX and features like Travel Mode.
The Families plan at $4.99/month (billed annually at $59.88/year) is outstanding value for households. Five members, each with private and shared vaults, account recovery for family members, and permission controls. At roughly $1/person/month, it's an easy recommendation for any family that shares streaming, utility, or financial accounts.
The Teams Starter Pack at $19.95/month includes up to 10 users with shared vaults and basic admin controls. It's a flat rate, not per-user, making it economical for small teams. However, it lacks the advanced features (SSO, audit logs, custom groups) that larger organisations need.
The Business plan at $7.99/user/month adds enterprise features: SSO integration with Okta, Azure AD, and other identity providers; detailed audit logs; custom groups and role-based access; automated provisioning and deprovisioning; and up to 20 guest accounts for contractors or clients. For companies already using an identity provider, the SSO integration with 1Password's unlock via identity provider means employees may not even need to remember a master password.
All plans include a 14-day free trial with no credit card required. There is no free tier — unlike Bitwarden, which offers a capable free plan. This is 1Password's biggest competitive disadvantage on paper, though the trial period is long enough to evaluate whether the premium experience justifies the cost.
1Password — Secure Password Manager
Watchtower, Travel Mode, passkeys, developer CLI, and vault sharing. 14-day free trial available.
Try 1Password Free →