Skip to main content
Field Guide

1Password Review (2026): The Best Password Manager for Teams

Best for: Small engineering teams and operators managing shared vaults, SSH keys, and developer secrets with granular permission controls.

UX module

Decision summary

Who it’s for, what it costs, and the catch — answered up top.

Best forSmall engineering teams…Primary use case
Plan fit$2.99/mo (intro),…Free tier available
Watch outSee caveatsMain caveat

Bottom line

1Password is a team-ready password manager for shared vaults, Watchtower credential-health monitoring, SSH key storage, CLI workflows, and admin-controlled access.

1Password has spent almost two decades earning its reputation as the gold standard for password management. Founded in 2006 by Agile Bits (now simply called 1Password, Inc.), it started as a Mac app and has grown into a full cross-platform suite used by millions of individuals, families, and some of the world’s largest organizations. In 2026, it remains the single most commonly recommended password manager by security professionals, developers, and power users alike — not because it’s the cheapest (it isn’t), but because it consistently gets the hard things right: security architecture, user experience, and team collaboration.

This review covers everything: what 1Password is and how it works, its pricing across all tiers, the Secret Key security model that sets it apart, platform coverage, developer features, team and enterprise capabilities, passkey support, Watchtower security monitoring, Travel Mode, and how it stacks up against Bitwarden, LastPass, Dashlane, and Apple Keychain. If you’re choosing a password manager in 2026, this is the review to read.

What Is 1Password?

At its core, 1Password is a password manager — software that generates, stores, and autofills passwords and other sensitive credentials across your devices. But calling it just a “password manager” undersells what it has become. In 2026, 1Password is a credential management platform: it handles passwords, passkeys, two-factor authentication codes, SSH keys, API tokens, secure notes, credit cards, identities, software licenses, and developer secrets. Everything sensitive lives in one encrypted, synchronized vault (or a set of vaults) that follows you across your Mac, PC, iPhone, Android device, and every browser you use.

The company was founded in Toronto, Canada in 2006 by Dave Teare and Roustem Karimov. For years it was a bootstrapped company growing purely on word-of-mouth — a rare feat in software. In 2019 and again in 2022, it took outside funding (ultimately $620 million at a $6.8 billion valuation), which accelerated its enterprise product development. Today, 1Password employs hundreds of people and serves more than 150,000 businesses alongside millions of individual users.

The core philosophy has remained consistent since 2006: your data is encrypted locally before it ever reaches 1Password’s servers. Not even 1Password employees can read your passwords. This zero-knowledge architecture is the foundation everything else is built on.

Security Architecture: The Secret Key Model

The most distinctive technical feature of 1Password is something most users never think about until they switch devices: the Secret Key. Understanding this concept is essential to understanding why 1Password is considered more secure than most alternatives.

Every 1Password account gets two factors of authentication for encryption:

  1. Your Master Password — the password you choose, memorable to you, never sent to 1Password’s servers.
  2. Your Secret Key — a 34-character randomly generated key (format: A3-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX) created when you first set up your account.

Your vault is encrypted using a key derived from both of these factors combined. This is not two-factor authentication in the login sense — it’s two-factor encryption at the cryptographic level. The Secret Key adds 128 bits of entropy to your encryption, making brute-force attacks against a stolen vault essentially impossible even with unlimited computing power.

Here’s why this matters: in the LastPass breach of 2022, attackers stole encrypted customer vaults. Those vaults were encrypted only with users’ master passwords. Given enough time and computing resources, attackers can attempt to crack master passwords through dictionary attacks — especially weak ones. With 1Password’s Secret Key model, even if an attacker obtained your encrypted vault, they would need both your master password AND your Secret Key. The Secret Key is never sent to 1Password’s servers in a recoverable form — it’s only stored on your devices. An attacker who breaches 1Password’s servers gets encrypted blobs that are computationally worthless without the Secret Key that’s only on your devices.

The tradeoff is recovery. If you lose your master password AND your Secret Key with no backup, your vault is gone — 1Password genuinely cannot recover it. This is why 1Password provides an Emergency Kit: a PDF that shows you where to write your master password and prints your Secret Key, intended to be stored somewhere physically secure (a safe, a locked drawer). This is the right tradeoff: the alternative (recoverable encryption) means someone else could also recover it.

Encryption Specifications

  • Data encryption: AES-256-GCM
  • Key derivation: PBKDF2-HMAC-SHA256 (iterations tuned to hardware)
  • Secret Key entropy: 128 bits (34-character base32)
  • Transport: TLS 1.2+ with certificate pinning on mobile
  • Zero-knowledge: 1Password cannot read your vault contents
  • Audit: SOC 2 Type II certified; regular third-party penetration tests

Pricing: All Plans Explained

1Password operates a subscription model with no permanent free tier. A 14-day free trial is available on all plans. Here’s a complete breakdown of 2026 pricing:

Individual — $2.99/month (billed annually)

The entry-level personal plan. Covers one user with unlimited vaults, items, and devices. Includes all core features: password storage and autofill, secure notes, credit cards, identities, Watchtower security monitoring, 1GB of document storage, two-factor authentication, Travel Mode, and access to the 1Password CLI for developer use. Billed at $35.88/year. This is excellent value for a professional who takes security seriously. The monthly billing option (no annual commitment) is available at a higher rate.

Families — $4.99/month (billed annually)

Covers up to 5 family members. Everyone gets their own private vault, and shared family vaults can be created for shared accounts (streaming services, utility logins, etc.). Family members can securely share specific items without exposing their entire vault. If a family member gets locked out, a family organizer can help recover their account. Billed at $59.88/year — less than $1/month per person for the whole family. This is one of the most cost-effective security upgrades a household can make.

Teams Starter — $19.95/month (billed annually)

For small teams up to 10 people. Flat rate regardless of user count (up to the limit). Includes shared vaults with role-based access, activity log, admin controls, two-factor authentication enforcement, and all individual features for each team member. This is the entry point for business use and covers most small teams’ needs at a predictable flat price. Teams that grow beyond 10 users move to the Business plan.

Business — $7.99/user/month (billed annually)

Per-user pricing for growing teams. Includes everything in Teams Starter plus: custom roles and permissions beyond the default admin/member/viewer roles, Duo MFA integration, custom security policies (e.g., enforce minimum password length, require 2FA on all accounts), advanced reporting, priority 24/7 support, and 5GB document storage per user. Also includes 20 guest accounts for external collaborators who need limited access without full seats. This is the right plan for companies of 20-500+ people who need compliance controls.

Enterprise — Custom pricing

Contact 1Password’s sales team. Adds: SCIM provisioning for automated user lifecycle management (connect to Okta, Azure AD, Google Workspace for automatic add/remove), SSO with enterprise identity providers, custom security policies beyond the Business tier, dedicated account manager, custom onboarding, SLA guarantees. Designed for organizations with thousands of users, compliance requirements, and complex identity infrastructure.

Price Comparison Context

1Password is not the cheapest option. Bitwarden Premium is $10/year for individuals. Bitwarden Families is $40/year. For a single individual, that gap is significant. For a business team, the per-user cost comparison depends heavily on which Bitwarden tier you’re comparing to. The premium 1Password charges is real — and so is what you get for it: better UX, Travel Mode, stronger developer tooling, more polished team administration. Whether that premium is worth it depends on your use case. For teams and professionals: generally yes. For budget-conscious individuals: Bitwarden is a legitimate alternative.

Platform Coverage: Where 1Password Works

Browser Extensions

1Password has extensions for every major browser: Chrome, Firefox, Safari, Edge, Brave, and Opera. The extensions are the primary way most users interact with 1Password day-to-day. They handle password autofill, password generation, saving new credentials, and surfacing relevant items as you browse.

The 1Password browser extension is notably good at identifying login forms that other password managers miss. It uses contextual understanding of page structure rather than simple URL matching, which means it correctly fills credentials on login pages with unusual URL patterns, multi-step authentication flows, and embedded iframes. The autofill accuracy in 2026 is among the best in the category.

New in recent versions: inline autofill suggestions appear directly in form fields as you click them — you don’t need to open the extension popup for simple autofill operations. This makes the workflow faster and less disruptive.

Desktop Apps

1Password ships native desktop apps for macOS, Windows, and Linux. These are genuinely native apps, not Electron wrappers — which matters for performance, memory usage, and system integration.

macOS: The Mac app is polished and feels at home on the platform. It integrates with Touch ID for vault unlock, supports the system clipboard (with configurable auto-clear), and works well with Quick Look for previewing secure documents. The Mac app handles the SSH agent integration, which allows signing git commits with SSH keys stored in 1Password.

Windows: The Windows app supports Windows Hello for biometric unlock (fingerprint and face recognition). It integrates with the Windows clipboard and notification system. The Windows app has historically lagged behind the Mac app in polish, but the gap has narrowed significantly in recent years.

Linux: Native Linux support is a meaningful differentiator. 1Password on Linux supports X11 and Wayland, integrates with gnome-keyring and KDE Wallet for session unlock, and includes the full desktop app experience. Linux support signals that 1Password takes developer users seriously.

Mobile Apps

iOS: The iOS app is excellent. Face ID and Touch ID unlock work seamlessly. AutoFill works across iOS apps — not just browsers. When an app (any app) presents a username/password field, iOS’s AutoFill framework can surface 1Password suggestions. This works in banking apps, enterprise tools, games, and anything else that uses standard iOS UI components. The iOS app also supports Share Sheet integration and works with Siri Shortcuts for power users.

Android: Full Android support including biometric unlock (fingerprint, face). Android autofill works across apps via the Accessibility service. Material Design UI that feels native rather than a port. Android 14 and higher have tighter integration with credential providers, and 1Password is a registered credential provider, meaning it integrates with the system-level passkey and password autofill infrastructure.

Passkey Support

1Password is one of the first major password managers to support passkeys as a first-class feature, and its implementation is the most complete in the category. Passkeys are cryptographic credentials that replace passwords entirely — they use public key cryptography to authenticate you without any shared secret that could be stolen.

1Password as a passkey provider means:

  • You can create and store passkeys in 1Password when signing up or upgrading an account on a passkey-supporting site
  • Stored passkeys sync across all your devices through 1Password’s encrypted sync
  • You can use a passkey stored on your phone to sign in on a desktop (cross-device passkey authentication)
  • Passkeys work through the same autofill workflow as passwords — no separate app needed

The cross-device sync is 1Password’s key advantage over platform passkey management (Apple Keychain, Google Password Manager). Platform passkeys are tied to that platform’s ecosystem. 1Password passkeys work on iOS, Android, macOS, Windows, and Linux without any special configuration. For users who move between ecosystems, this is significant.

Vaults: The Organizational Model

1Password organizes credentials into vaults — discrete containers that can be individually shared, permission-controlled, and traveled (Travel Mode). Understanding the vault model is key to using 1Password well, especially in team contexts.

Every account has a Personal vault by default. You can create additional vaults with custom names: Work, Clients, Finance, Social, Dev Secrets, etc. Each vault can be independently shared with other 1Password users.

In team and business accounts, vaults are the primary sharing mechanism. An admin creates a shared vault (e.g., “Marketing Team,” “Engineering Shared,” “Finance”), adds team members to it with appropriate roles (admin, can edit, can view), and those team members see that vault alongside their personal vault. Team members can’t see each other’s personal vaults. Sensitive items go in the right shared vault; personal items stay personal.

Roles within shared vaults:

  • Admin: Can manage vault membership, create/delete items, view all items
  • Can Edit: Can create, edit, and delete items; cannot manage membership
  • Can View: Read-only access to items in the vault

This model scales elegantly. A 5-person startup can run everything in two or three shared vaults. A 500-person company can have dozens of department-specific vaults with granular access. The vault model is one of the primary reasons 1Password dominates the team password manager category.

Watchtower: Proactive Security Monitoring

Watchtower is 1Password’s security dashboard — a persistent monitor that identifies security weaknesses in your saved credentials. Unlike a one-time audit, Watchtower runs continuously and updates as new information becomes available.

Watchtower monitors for:

Compromised Passwords

1Password integrates with Have I Been Pwned (HIBP), the breach database maintained by security researcher Troy Hunt. Watchtower checks your passwords against the HIBP database using a privacy-preserving k-anonymity method (it sends only the first 5 characters of the password’s SHA-1 hash, never the actual password) and flags credentials that appear in known breach datasets. If your old LinkedIn password shows up in the 2012 LinkedIn breach data, Watchtower will flag it for replacement.

Weak Passwords

Watchtower identifies passwords that are too short, don’t meet complexity requirements, or appear in common password lists. It assigns strength ratings and makes it easy to jump directly to a site to change a weak password.

Reused Passwords

Using the same password on multiple sites is one of the most common and dangerous habits. If your email password is reused on ten other sites and one of those sites has a breach, all ten accounts are compromised. Watchtower identifies all instances of password reuse across your vaults and surfaces them as a priority remediation.

Sites with 2FA Support

Watchtower identifies sites in your vault that support two-factor authentication but where you haven’t yet set it up. It cross-references a database of 2FA-capable sites and surfaces actionable recommendations — “This site supports 2FA. Set it up now.” It links directly to the site’s security settings page where possible.

Expired Items

Credit cards, driver’s licenses, passports, and other items in your vault have expiration dates. Watchtower flags them before they expire so you can update payment methods before your subscription auto-renewal fails.

The Watchtower dashboard in the 1Password app gives a health score and prioritized action list. It’s not just a dump of issues — it’s organized by severity and makes it easy to act on findings without hunting through your vault manually.

Travel Mode: The Unique Security Feature

Travel Mode is the 1Password feature with no equivalent in any competing password manager. It was introduced in 2017 and has become increasingly relevant as border security agencies in various countries have gained legal authority to demand access to travelers’ devices.

How Travel Mode Works

In 1Password, you can mark specific vaults as “Safe for Travel.” When you enable Travel Mode (in your 1Password account settings online), all vaults that are not marked safe for travel are instantly removed from all your devices. Not hidden — removed. There is no visible indication that these vaults exist or ever existed on your device. The vault data remains encrypted in 1Password’s servers; it’s just not present on the device.

When you’ve cleared customs and reach your destination, you disable Travel Mode from a device that’s now in a secure location, and your vaults are restored.

Why This Matters

Border agents in many jurisdictions (United States CBP, UK Border Force, various EU entry points, etc.) have legal authority to demand that travelers unlock their devices for inspection. Courts have generally upheld this authority at the border, even for citizens. If you carry sensitive client credentials, corporate secrets, privileged communications, or personal financial information, crossing certain borders creates a real legal risk of forced disclosure.

With Travel Mode, a border agent demanding device access will see exactly what’s in your travel vaults — which you can make contain mundane personal credentials — and nothing else. There’s no hidden vault indicator, no visible evidence that other vaults exist. This is not steganography; it’s plausible deniability backed by cryptographic architecture.

Travel Mode is particularly valued by journalists, lawyers, executives, and security professionals who cross borders with sensitive information. It’s also simply a good habit for anyone who travels internationally, even for non-sensitive reasons.

Developer Features: 1Password as Infrastructure

1Password’s developer tooling has evolved from a nice-to-have into a genuine differentiator for engineering teams. In 2026, the developer feature set includes the 1Password CLI, Secrets Automation, SSH key management, git commit signing, and integrations with CI/CD platforms.

1Password CLI (op)

The 1Password command-line interface (op) is a full-featured terminal tool for interacting with your 1Password vault. The core workflow for developer use is reading secrets without exposing them in environment variables or shell history:

# Read a specific field from a vault item
op read "op://Personal/AWS Prod/access_key_id"

# Inject secrets as environment variables for a command
op run -- your-app --database-url "op://Work/Prod DB/connection_string"

# Export multiple secrets into a shell session
eval $(op signin)

The op run command is particularly powerful for CI/CD use: it resolves op:// references in your environment variables and passes them to the command without ever writing them to disk or exposing them in process lists. This eliminates an entire category of secret sprawl that plagues most engineering teams.

Secrets Automation

For teams that need to manage secrets at scale across infrastructure — multiple services, containers, functions — 1Password Secrets Automation provides a service-account model. A service account gets an API token with scoped access to specific vaults. That token can be used by automated systems (Docker containers, Lambda functions, Kubernetes pods, CI/CD runners) to fetch secrets at runtime.

This replaces the common anti-pattern of committing secrets to .env files or hardcoding them in deployment configurations. Instead: the secret lives in 1Password, the service account token lives in the deployment environment (as an environment variable, a Kubernetes secret, or a CI/CD secret), and the actual credentials are never embedded in code or configuration files.

SSH Key Management

1Password can generate, store, and use SSH keys as if it were a local SSH agent. The workflow:

  1. Generate or import an SSH key in 1Password (or let 1Password generate one)
  2. Configure your SSH client to use 1Password as the SSH agent
  3. SSH connections are authenticated using the key stored in 1Password — the private key never touches the local filesystem in plain form
  4. Each use prompts for 1Password unlock (biometric on supported devices) — you get a confirmation step before the key is used

This replaces the traditional workflow of keeping ~/.ssh/id_rsa on disk (unencrypted or passphrase-protected), which creates risk if your laptop is stolen or compromised. The SSH key in 1Password is encrypted at rest and only unlocked when explicitly authorized.

Git Commit Signing

1Password’s SSH agent can sign git commits. Combined with GitHub/GitLab’s SSH commit signature verification, this allows you to cryptographically prove that commits come from you (the holder of the private key in 1Password). Setup involves configuring git to use 1Password as the signing agent and uploading the public key to your git hosting provider’s “Signing Keys” section. Signed commits get a “Verified” badge on GitHub.

CI/CD Integration

1Password publishes official integrations for:

  • GitHub Actions (1password/load-secrets-action)
  • GitLab CI (via op run in job scripts)
  • CircleCI, Jenkins, and other CI systems (via service account tokens)
  • Docker and Docker Compose (via op run -- docker compose up)
  • Terraform (via a 1Password provider for injecting secrets into Terraform runs)
  • Kubernetes (via 1Password Connect and the Secrets Injector)

The pattern is consistent: 1Password stores the secrets; the CI/CD system stores only the service account token; actual secrets are resolved at runtime. No secrets in .env files committed to repos. No secrets in CI/CD logs. No secrets in container images.

1Password for Teams and Business: The Organizational Features

Team and business features are where 1Password justifies its position as the enterprise standard for password management. Here’s what you get beyond the individual product:

Activity Log

The activity log records every significant action taken in a team 1Password account: who created an item, who edited it, who deleted it, who accessed which vault, who was added or removed from a vault, who changed their master password. This audit trail is essential for compliance purposes and for incident investigation. If credentials are compromised, the activity log helps answer “who had access, and when?”

Admin Console

The admin console (web-based) gives administrators a unified view of the team’s security posture: user list, vault list, 2FA enforcement status, Watchtower findings across the team, and policy controls. Admins can reset access for team members who lose their account credentials, enforce 2FA requirements, and set minimum security standards.

Domain Capture

When enabled, domain capture means that any user who signs up for 1Password using your company’s email domain gets automatically invited to join your team account. This prevents shadow IT — employees using personal 1Password accounts for work credentials instead of the company’s managed account.

Guest Accounts (Business plan)

Guest accounts are limited access seats for external collaborators — contractors, freelancers, agency partners — who need access to specific shared vaults without full team membership. Business plans include 20 guest accounts. Guests can only see the specific vaults they’ve been granted access to; they can’t see the admin console, other vaults, or team settings.

Provisioning and SSO (Enterprise)

Enterprise plans support SCIM (System for Cross-domain Identity Management) provisioning. This allows integration with identity providers like Okta, Azure Active Directory, Google Workspace, and OneLogin. When an employee joins the company, their 1Password account is automatically created and provisioned with the right vault access based on their group memberships in the identity provider. When they leave, their 1Password access is automatically revoked. This eliminates manual provisioning/deprovisioning, which is a significant security risk at scale.

SSO Unlock (available on Business and Enterprise) allows team members to unlock 1Password using their corporate SSO credentials — same login as Slack, Google Workspace, etc. This reduces credential fatigue and ensures that when an employee’s corporate account is disabled, their 1Password access is disabled simultaneously.

Custom Security Policies (Business and Enterprise)

  • Require minimum master password strength
  • Enforce two-factor authentication for all accounts
  • Restrict access to specific IP ranges or geographic regions
  • Set session timeout policies
  • Enforce Duo MFA integration
  • Configure automatic clipboard clearing

1Password for Families: The Family Plan Deep Dive

The Families plan ($4.99/month for up to 5 members, billed annually) is one of the most cost-effective security products available for households. Here’s what makes it work well as a family product:

Each family member gets their own private vault. A spouse, teenager, or parent cannot see the other’s private credentials. There are also shared family vaults for things everyone needs: the Netflix password, the home router WiFi password, the family email accounts, shared bank logins.

The Family Organizer role has special recovery capabilities. If a family member forgets their master password and has lost their Emergency Kit, the Family Organizer can help them regain access by confirming their identity and allowing them back in. This is more practical than most password managers’ recovery options, which typically require prior setup of a recovery email (often forgotten) or hardware token.

The Families plan also includes 1GB of document storage per family, which can hold scanned copies of passports, insurance cards, birth certificates, and other important documents in encrypted form.

For a household of 4-5 people, 1Password Families at $4.99/month works out to roughly $1/month per person — a compelling price for a significant security upgrade.

Comparison: 1Password vs Bitwarden

Bitwarden is the most direct competitor and the most common alternative recommendation. Here’s a thorough comparison:

Price

Bitwarden wins. Bitwarden has a functional free personal tier with unlimited password storage and device sync. Bitwarden Premium is $10/year. Bitwarden Families is $40/year for 6 users. Bitwarden Teams is $4/user/month. 1Password is more expensive at every tier. For a budget-constrained individual or very small team, Bitwarden’s pricing is unbeatable.

Open Source

Bitwarden wins. Bitwarden is fully open-source (MIT licensed). The server, clients, and mobile apps are all on GitHub and can be audited by anyone. 1Password is closed-source; security is validated through third-party audits and cryptographic transparency reports rather than code inspection.

Self-Hosting

Bitwarden wins. Bitwarden can be self-hosted using their official Docker images. Organizations with strict data sovereignty requirements can run Bitwarden entirely on their own infrastructure. 1Password is cloud-only with no self-hosting option.

User Experience

1Password wins. 1Password’s apps, extensions, and onboarding are more polished. The interface is more consistent across platforms. Autofill accuracy is marginally better. For non-technical users setting up a family plan, 1Password is noticeably easier to onboard. Bitwarden’s UI is functional but more spartan.

Travel Mode

1Password wins. Bitwarden has no equivalent to Travel Mode. This is a decisive advantage for frequent international travelers or anyone with cross-border security concerns.

Developer Tooling

1Password wins. 1Password’s CLI, SSH agent, git signing, and Secrets Automation integration are significantly more developed than Bitwarden’s. Bitwarden CLI exists but the ecosystem around developer workflows is thinner.

Security Architecture

1Password wins (marginally). Both are zero-knowledge with AES-256 encryption. 1Password’s Secret Key adds a meaningful additional layer against server-side breach scenarios. Bitwarden does not have an equivalent. Both have good track records and regular security audits.

Team Features

1Password wins. Vault sharing model, admin controls, guest accounts, SCIM provisioning, and the activity log are more complete in 1Password. Bitwarden has basic team features but doesn’t match 1Password at the organizational level.

Verdict: 1Password vs Bitwarden

For a budget-conscious individual or a developer comfortable with a functional but unpolished UI: Bitwarden. For a professional who wants the best UX, a team that needs strong organizational controls, or anyone crossing international borders regularly: 1Password. Both are excellent security choices; the right answer depends on your priorities.

Comparison: 1Password vs LastPass

LastPass was once the dominant password manager recommendation. The 2022 LastPass breach changed that permanently for many security professionals.

The LastPass Breach (2022)

In August 2022, LastPass disclosed that an attacker had gained access to their systems. The initial disclosure minimized the severity. Further disclosures in December 2022 revealed the full scope: the attacker had stolen encrypted customer password vaults. Critically, the attacker also stole metadata that wasn’t encrypted — including website URLs stored with credentials, which reveals what services you use even without cracking the vault.

The encrypted vault data was protected only by users’ master passwords, encrypted with PBKDF2-HMAC-SHA256. Users with weak master passwords faced real risk of vault decryption via offline brute force. Many users who hadn’t updated their PBKDF2 iteration settings faced significantly higher risk due to LastPass’s historically low default iteration count (1 only, for older accounts).

Why 1Password’s Architecture Would Have Mattered Here

Under 1Password’s Secret Key architecture, an attacker who obtained the encrypted vault database would still need users’ Secret Keys — 128-bit random values stored only on user devices, never recoverable from 1Password’s servers. Even with the complete vault database and unlimited computing resources, brute-forcing a vault protected by both a master password and a 128-bit Secret Key is computationally infeasible regardless of the master password’s weakness.

This is not hindsight — 1Password has had the Secret Key model since 2011. It was designed precisely to defend against server compromise scenarios.

LastPass in 2026

LastPass has undergone ownership changes and attempted security improvements since the breach. However, the trust damage among security professionals is significant and persistent. Most security professionals who previously recommended LastPass now recommend 1Password, Bitwarden, or Dashlane (for business users) instead. If you’re currently using LastPass, migrating to 1Password is a security improvement that’s worth the effort.

Comparison: 1Password vs Dashlane

Dashlane was historically a strong consumer-focused competitor to 1Password. As of 2025-2026, Dashlane has largely pivoted to B2B business customers and no longer maintains competitive personal plans. If you’re shopping for an individual or family plan in 2026, Dashlane is no longer a primary recommendation to compare. For business teams, Dashlane competes more directly with 1Password Business, with comparable enterprise features at similar price points — the choice between them often comes down to preference for specific SSO integrations or admin UI.

Comparison: 1Password vs Apple Keychain (iCloud Passwords)

Apple’s built-in password manager (now branded “Passwords” as a standalone app in iOS 18 and macOS 15) is the most common alternative for Apple-ecosystem users. It’s free and deeply integrated.

Where Apple Passwords Wins

  • Free — no subscription required
  • Zero setup — works immediately with an Apple ID
  • Deep OS integration on Apple devices
  • iCloud sync between Apple devices is seamless
  • Passkey support in Apple ecosystem
  • Good enough for basic personal use

Where 1Password Wins

  • Cross-platform: Works on Windows, Android, Linux. Apple Passwords is Apple-only. If you use a Windows PC at work, your passwords are only accessible via the web browser extension — not integrated into the OS.
  • Teams and sharing: Apple Passwords has limited family sharing capabilities. 1Password’s vault model is far superior for team use.
  • Watchtower vs Apple’s security recommendations: Both monitor for breached passwords, but Watchtower is more comprehensive and actionable.
  • Travel Mode: No Apple equivalent.
  • Developer CLI and SSH agent: Apple Passwords has no developer tooling.
  • Document storage and secure notes: 1Password is much more comprehensive.
  • Organization: 1Password vaults with custom organization vs. Apple’s single flat credential list.

Verdict: 1Password vs Apple Passwords

Apple-only households who don’t need team features and aren’t power users: Apple Passwords is perfectly adequate. Cross-platform users, teams, developers, travelers, and power users: 1Password is worth the subscription.

Setting Up 1Password: Getting Started

The onboarding experience is one of 1Password’s strengths. Here’s the recommended setup sequence:

  1. Create your account at 1password.com. Choose your plan. Start a 14-day trial if you’re evaluating.
  2. Save your Emergency Kit. Print the PDF. Write your master password on it. Store it somewhere physically secure. This is the most important setup step — without it, a forgotten master password means a permanently lost vault.
  3. Install the desktop app for your primary computer (Mac, Windows, or Linux).
  4. Install the browser extension for your primary browser. Sign in to the extension using your master password and Secret Key. The extension can import credentials from your browser’s built-in password manager.
  5. Import existing passwords. 1Password can import from: Chrome, Firefox, Safari, LastPass, Dashlane, Bitwarden, KeePass, and CSV files. The import wizard handles most common formats.
  6. Install mobile apps. iOS App Store or Google Play. Sign in and enable biometric unlock.
  7. Run Watchtower. After importing, immediately check Watchtower for reused and compromised passwords. Start with the highest-risk items.
  8. Enable Travel Mode if you travel internationally. Set up your travel vaults before your next trip.

1Password in Daily Use: What to Expect

After initial setup, 1Password fades into the background. The experience that matters is how it handles the daily friction of the web:

Logging into a site you’ve used before: click the login field, 1Password suggests the matching credential, you click or tap it, you’re in. Fast. The extension doesn’t interrupt if there’s an obvious match; it surfaces suggestions inline without requiring a popup interaction for straightforward cases.

Signing up for a new service: 1Password detects the registration form, offers to generate a new password, saves the new credential automatically. The generated password is strong (configurable: length, character types, memorable words vs. random) and immediately saved to your chosen vault.

Logging in on mobile: tap the username field in any app that supports AutoFill. Face ID prompt. 1Password fills the credentials. This works across iOS apps — banking apps, productivity tools, entertainment apps. Not just web browsers.

Sharing a credential with a colleague: right-click the item, select “Share,” grant access to a specific person or add the item to a shared vault. They see the credential in their 1Password account. No emailing passwords. No Slack messages with passwords. No shared spreadsheets.

Needing a password you can’t find: 1Password search is fast and fuzzy. Type any part of the site name, URL, username, or note attached to a credential. Results appear instantly.

Potential Drawbacks and Limitations

1Password is not perfect. Honest review requires acknowledging the downsides:

  • No free tier. The 14-day trial is the only way to evaluate without paying. For individuals considering their first password manager, this creates a barrier that Bitwarden doesn’t have.
  • Cloud-only architecture. If you need your vault data to never leave your infrastructure, 1Password is not an option. Bitwarden self-hosting is the alternative.
  • Recovery complexity. Losing both your master password and your Secret Key (Emergency Kit) means permanent vault loss. Most competing products have more approachable account recovery. The tradeoff (better security) is correct, but the risk of permanent data loss is real if users don’t maintain their Emergency Kit.
  • Price creep for large teams. Business plan at $7.99/user/month adds up quickly for large teams. A 100-person company pays roughly $9,600/year. Bitwarden Teams at $4/user/month is $4,800/year for the same headcount. The 1Password premium is meaningful at scale.
  • Windows app polish. Despite improvements, the Windows app still trails the macOS app in subtle ways. Windows users coming from Bitwarden may not notice, but Mac users switching to a Windows device may.
  • No offline vault. While 1Password caches vault data locally and works offline, initial setup and account recovery require internet access. For airgapped environments, this is a constraint.

Who Should Use 1Password?

1Password is the right choice if you’re in any of these categories:

Security-conscious professionals. The combination of Secret Key encryption, Travel Mode, Watchtower, and thoughtful security design makes 1Password the password manager you’ll feel good about recommending to a security-conscious colleague. It gets the important things right.

Developers and DevOps engineers. The CLI, SSH agent, git signing, and Secrets Automation integration are uniquely valuable. If you’re injecting secrets into CI/CD pipelines, managing SSH keys across infrastructure, or signing git commits, 1Password provides infrastructure that no competitor matches.

Engineering teams and small businesses. The vault sharing model, activity log, admin controls, and guest accounts make 1Password the most complete team credential management solution available. If your team is sharing passwords via Slack or shared spreadsheets, moving to 1Password Business is a significant security improvement.

International travelers. Travel Mode is available nowhere else. If you cross borders with a work device or with sensitive credentials, 1Password is specifically designed for your security needs.

Families who want easy sharing. The Families plan makes it easy to share streaming service credentials, family accounts, and important documents while keeping personal credentials private. The Family Organizer recovery capability is more practical than most alternatives.

Passkey early adopters. 1Password’s cross-platform passkey sync is the best implementation available if you want passkeys to work consistently across Apple, Windows, and Android devices.

Verdict and Rating

1Password earns its status as the most recommended premium password manager in 2026. The Secret Key security architecture, Travel Mode, comprehensive team features, developer CLI, and consistent UX across platforms represent a coherent product vision that has been executed well over nearly two decades.

It is not the cheapest option. Bitwarden is a legitimate alternative for budget-constrained individuals and organizations with self-hosting requirements. But the price premium 1Password charges is backed by a better user experience, features Bitwarden doesn’t have (Travel Mode, developer CLI ecosystem, polished team administration), and a security architecture that has held up under scrutiny while competitors have had breaches.

For individuals and families who can afford it, 1Password is the recommended choice. For teams and businesses, it’s the clear recommendation over every alternative at the security-and-usability intersection it occupies.

Overall Rating: 4.6 / 5

  • Security architecture: 5/5
  • User experience: 4.8/5
  • Team features: 4.8/5
  • Developer tooling: 4.9/5
  • Value for money: 4.0/5 (excellent for teams, steep for budget-conscious individuals)
  • Platform coverage: 4.5/5
  • Family features: 4.5/5

Frequently Asked Questions

Does 1Password have a free plan?

No. 1Password is a paid-only product across all tiers. A 14-day free trial is available on all plans, but there is no permanent free tier. If a free option is required, Bitwarden offers a functional free personal tier with unlimited device sync.

What happens if I forget my master password?

If you have your Emergency Kit (which contains your Secret Key and where you should have written your master password), 1Password can help you set a new master password. If you’re on a Families or Teams plan, the Family Organizer or team admin can help recover your account. If you have no Emergency Kit and no account recovery option available, your vault data is permanently inaccessible — 1Password cannot recover it due to the zero-knowledge architecture.

Is 1Password safe after the LastPass breach?

1Password’s architecture was specifically designed to defend against the scenario that made the LastPass breach damaging. The Secret Key means an attacker who obtains 1Password’s server data cannot brute-force vaults without also having each user’s Secret Key, which is stored only on their devices. 1Password has never had a comparable breach event in its 18-year history.

Can I use 1Password on both Mac and Windows?

Yes. 1Password has native apps for macOS, Windows, and Linux. One subscription covers unlimited devices across all platforms. Your vault syncs across all devices through 1Password’s encrypted sync infrastructure.

Can 1Password store passkeys?

Yes. 1Password is a registered passkey provider on iOS, Android, macOS, and Windows. When you create a passkey on a supporting website, you can save it to 1Password instead of to your device’s platform manager (Apple Keychain, Google Password Manager). 1Password passkeys sync across all your devices regardless of platform.

Does 1Password work with enterprise SSO (Okta, Azure AD)?

Yes, on Business and Enterprise plans. 1Password supports SSO Unlock with Okta, Azure Active Directory, Google Workspace, and other SAML-compatible identity providers. Enterprise plans also support SCIM provisioning for automated user lifecycle management.

What is the Secret Key and where do I find it?

The Secret Key is a 34-character randomly generated key created when you first set up your 1Password account (format: A3-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX). You’ll find it in your Emergency Kit, in the 1Password app under Settings, and on the 1Password website in your account settings. Store your Secret Key securely — you’ll need it when signing in on a new device.

Can I share individual passwords with someone who doesn’t have 1Password?

Yes. 1Password’s secure link sharing feature lets you generate a link to a specific credential. The recipient can view the password without needing a 1Password account. Links can be set to expire after a time period or after a single view, minimizing exposure.

Does 1Password support biometric authentication?

Yes. Face ID and Touch ID on iOS, Face ID on newer iPhone and iPad models, fingerprint on Android, Touch ID on Mac, and Windows Hello (face and fingerprint) on Windows. Biometric unlock only unlocks the local cache of your vault — it doesn’t bypass the master password for new device setup or full re-authentication.

Is 1Password good for non-technical family members?

Yes. 1Password’s onboarding and daily use are designed to be accessible to non-technical users. The browser extension autofill is largely automatic. The iOS app works with Face ID. The main challenge is the initial setup (particularly understanding the Emergency Kit), which benefits from a more technical family member helping. Once set up, day-to-day use is simple and unobtrusive.

How does 1Password compare for solopreneurs and freelancers?

The Individual plan at $2.99/month is well-suited to freelancers who manage client credentials, API keys, and service accounts across multiple projects. The vault organization model allows clean separation between different clients or projects. Watchtower ensures you’re not reusing passwords across client environments. The CLI is useful for developers who want to inject credentials into project environments without committing them to version control. For a freelancer who takes security seriously, 1Password Individual is a reasonable professional expense.

Does 1Password have a web interface?

Yes. 1Password can be accessed at my.1password.com from any web browser without installing the desktop app. The web interface provides full access to your vault, settings, and admin controls. This is useful when accessing from a shared or temporary computer where you don’t want to install software. The web interface also handles Emergency Kit download, Secret Key retrieval, and account recovery workflows.

Pros & cons

Pros

  • Strong team vault permissions; developer-native SSH/CLI/secrets tooling; Watchtower credential-health monitoring

Cons

  • No free plan; Teams Starter Pack capped at 10 users; cloud-only with no self-hosting

Who it’s for

Ideal for: Small engineering teams and operators managing shared vaults, SSH keys, and developer secrets with granular permission controls.