Security and privacy

About the security of 1Password in your browser

Learn how 1Password protects your data when you use it in your browser.

When you use 1Password in your browser, you can fill and save passwords, find and edit items, and more – all without leaving your browser. Because 1Password works everywhere you do, you can be more secure in more places.

Your data is protected by strong encryption

When you use 1Password in your browser, your data is protected using the same security model that always protects your 1Password account. Everything is encrypted locally on your devices with keys that only you have. Data is encrypted at rest and in transit – just like in the other 1Password apps.

Learn more about the 1Password security model.

Your data is protected in your browser

“Overall, [1Password] was found to be unusually robust with exceptional error handling, careful data processing, and data encryption that was well considered and thoughtfully implemented.” ― AppSec Consulting, “Penetration Test and Code Review Report”

The security environment for an extension in a web browser is different from that in a desktop or mobile app. 1Password protects your data in ways that are unique to that environment to make sure it’s not susceptible to known browser-based attacks.

1Password runs in a sandboxed background page provided by the WebExtensions API, not in the untrusted web environment. Scripts running on web pages you visit have no way of interacting with the sandbox.

  • The pop-up runs outside of the web pages you visit. Only you can open and control it.
  • Inline menus are loaded in iframes, with their source set to a resource inside the extension bundle. Same-origin policy prevents pages from looking inside these iframes or interacting with their contents.
  • Messages are passed between extension components and the page using the extension messaging API rather than DOM events, so they can’t be intercepted or spoofed by untrusted web pages.
  • Parsing is done with safe, tested methods, and all input is sanitized before being displayed to prevent XSS (cross-site scripting) attacks.
  • A restrictive CSP (Content Security Policy) prevents 1Password from loading untrusted external resources.
  • TypeScript enforces type safety and provides static analysis tools to make sure that 1Password is just as robust as every other 1Password app.

Protect yourself when using 1Password in your browser

The 1Password X lock screen

  • Only enter your Master Password in the 1Password pop-up from your browser’s toolbar. Unless you are on, never enter your Master Password directly into a web page. 1Password will never ask for your Master Password in the inline menu that appears below form fields.
  • Make sure 1Password and your browser are up to date. Chrome and Firefox update themselves and browser extensions automatically, but you may need to restart your browser occasionally to receive updates.
  • Adjust how long it takes 1Password to lock automatically. Click the 1Password button in your toolbar. Then click and choose Settings.
  • Only use 1Password on trusted computers. 1Password is sandboxed from untrusted web pages, but it assumes that you trust your web browser and your other browser extensions. It stores your Secret Key in local storage and is not meant to be used on a public computer.
  • Limit your use of other browser extensions. A malicious or badly made browser extension could interfere with 1Password or attempt to expose your data. If you need to use untrusted extensions, consider using a separate browser profile just for 1Password.

Learn more