1 Key security features

1Password offers a number of notable security features.

True end-to-end encryption All cryptographic keys are generated by the client on your devices, and all encryption is done locally. Details are in “A deeper look at keys.”

Server ignorance We’re never in the position of learning your account password or cryptographic keys. Details are in “A modern approach to authentication.”

Nothing “crackable” is stored A typical web service will store a hash of the user’s password. If captured, that can be used in password cracking attempts. Our two-secret key derivation mixes your locally held Secret Key with your account password so data we store cannot be used in cracking attempts. See “Making verifiers uncrackable with 2SKD” for details.

Thrice encrypted in transport When your already encrypted data travels between your device and our servers, it’s encrypted and authenticated by Transport Layer Security (TLS) and our own transport encryption. Details are in “Transport security.”

You control sharing Only someone who holds the keys to a vault can share that data with someone else. We don’t have those keys, so sharing decisions come from you. See “How vaults are shared securely” for details.

Team-managed data recovery We don’t have the ability to recover your data if you forget your account password or lose your Secret Key (since you have end-to-end security). But recovery keys can be shared with team members. Details are in “Restoring a user’s access to a vault.”