1Password review for journalists. Is it enough for source protection?

1Password manages credentials. It generates strong, unique passwords, stores them in an encrypted vault, and makes them accessible across devices without requiring you to remember or reuse them. For the threat profile most journalists face — credential phishing, account takeover, password reuse across services — it directly addresses the most common entry point.

What it does not do is protect your sources. It does not encrypt your communications. It does not prevent metadata exposure. Treating it as a complete privacy solution would be the same mistake as treating a VPN as one. (See: how journalists are actually compromised.)

What 1Password actually does

The vault is encrypted locally before it syncs to 1Password’s servers, which means 1Password cannot read your stored credentials. They have published the results of their security audits, and the architecture has held up under scrutiny by security professionals in enterprise environments.

The Secret Key system is 1Password’s distinctive design choice. Account access requires both your master password and a 128-bit Secret Key that never leaves your devices. Even if 1Password’s servers were breached, the encrypted vaults would be unusable without the Secret Key. This addresses the scenario that breaks many credential managers: a server-side breach that exposes the vault.

Travel Mode

Travel Mode is the feature that matters most for the threat profiles this site is built around. When Travel Mode is enabled, you designate certain vaults as safe for travel and remove all others from your devices. A device searched at a border shows only the vaults you marked as travel-safe. The hidden vaults do not appear in the app, do not appear in settings, and leave no visible trace. It is the only mainstream password manager with a credible implementation of this feature.

The audit record

1Password has undergone multiple independent security audits including assessments by Cure53. Results are available in summary form. For journalists using 1Password for source-adjacent credentials — accounts where a compromise would reveal professional relationships — the audit record matters more than the feature list.

Where it fits in the stack

Credential management addresses the most common form of account compromise. Most journalist accounts that get taken over are taken over through reused passwords or phishing attacks that capture credentials. 1Password with a hardware security key on critical accounts eliminates both of those vectors.

It does not replace Proton Mail for source communications. It does not replace Signal for messaging. It does not replace a VPN for network protection. It is the foundation of account security, not the whole structure.

The order of implementation: secure the device, then secure the accounts with a password manager and hardware key, then secure communications with the right tools for the threat level. 1Password belongs in step two. (See: build your threat model in 20 minutes.)

Frequently asked questions

Is 1Password safe for journalists?

Yes, with the caveat that it addresses credential security specifically. It has been independently audited, uses an architecture that protects vaults even in a server-side breach, and includes Travel Mode for border crossing scenarios. It does not protect communications, source identities, or metadata.

What is Travel Mode in 1Password?

Travel Mode hides specific vaults from your device when crossing borders. Only vaults you designate as travel-safe are visible in the app. Hidden vaults leave no trace on the device and cannot be compelled from you during a border search if you do not disclose their existence. It is the most operationally relevant feature 1Password offers for journalists in high-risk environments.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.