1Password is a password manager built by AgileBits, a Toronto-based company founded in 2005. The vault is encrypted client-side with the master password and a separate Secret Key generated at signup. Stores passwords, TOTP seeds, secure notes, payment cards, and document scans. Sync runs through 1Password’s servers without giving them readable access.
What it means in practice
The Secret Key is what makes 1Password mathematically harder to compromise than a passphrase-only manager. Even if 1Password’s servers were breached and the encrypted vault stolen, the attacker still needs both the master password (which lives in your head) and the Secret Key (which lives on your devices). Brute-forcing one without the other is computationally infeasible. The trade-off: lose both and the data is gone forever. There is no recovery, no support backdoor, no reset link. That property is also the product.
Who uses it, and against whom
The customer base spans solo journalists who need TOTP storage on the same device as their notes, law firms who buy Teams or Business plans for client matter compartmentation, and engineering teams running fleets of 50 to 5,000 seats. Adversaries are mostly account-takeover crews running credential-stuffing attacks against personal accounts, plus the occasional targeted intrusion against a specific employee. The 2024 Okta breach reached 1Password’s support tier and the team published a detailed post-mortem within days. That transparency itself is a buying signal. Predaxia currently does not recommend 1Password as the default for high-risk operators (NDA on the affiliate refusal, but the editorial position stands), preferring open-source alternatives where the vault format is auditable end-to-end.
What you can change today
Three actions take ten minutes total. First, generate a passphrase of seven random dictionary words for the master password and write the Secret Key on metal stored apart from your laptop. Second, enable Travel Mode before any border crossing, which strips designated vaults from the device until you reactivate from a safe location. Third, audit the Watchtower report monthly: it surfaces breached sites, weak passwords, and reused credentials, and most operators discover three to seven legacy reuses they had forgotten.
