Security and privacy

About the security of 1Password in your browser

Learn how 1Password protects your data when you use it in your browser.

When you use 1Password in your browser, you can fill and save passwords, find and edit items, and more – all without leaving your browser. Because 1Password works everywhere you do, you can be more secure in more places.

Your data is protected by strong encryption

When you use 1Password in your browser, your data is protected using the same security model that always protects your 1Password account. Everything is encrypted locally on your devices with keys that only you have. Data is encrypted at rest and in transit – just like in the other 1Password apps.

Learn more about the 1Password security model.

Your data is protected in your browser

“Overall, [1Password] was found to be unusually robust with exceptional error handling, careful data processing, and data encryption that was well considered and thoughtfully implemented.” ― AppSec Consulting, “Penetration Test and Code Review Report”

The security environment for an extension in a web browser is different from that in a desktop or mobile app. 1Password protects your data in ways that are unique to that environment to make sure it’s not susceptible to known browser-based attacks.

1Password runs in a sandboxed background page provided by the WebExtensions API, not in the untrusted web environment. Scripts running on web pages you visit have no way of interacting with the sandbox.

  • The pop-up runs outside of the web pages you visit. Only you can open and control it.
  • Inline menus are loaded in iframes, with their source set to a resource inside the extension bundle. Same-origin policy prevents pages from looking inside these iframes or interacting with their contents.
  • Messages are passed between extension components and the page using the extension messaging API rather than DOM events, so they can’t be intercepted or spoofed by untrusted web pages.
  • Parsing is done with safe, tested methods, and all input is sanitized before being displayed to prevent XSS (cross-site scripting) attacks.
  • A restrictive CSP (Content Security Policy) prevents 1Password from loading untrusted external resources.
  • TypeScript enforces type safety and provides static analysis tools to make sure that 1Password is just as robust as every other 1Password app.

Your data is protected outside your browser

When you use 1Password in your browser, it checks for the 1Password app. If you have the app installed, the app and extension establish a secure connection. This connection allows you to lock and unlock the 1Password app and extension together. Secrets used to secure the connection are protected in the following ways:

  • Native messaging ports allow 1Password to verify the connection between the app and extension. Before accepting a connection, the 1Password app verifies the extension ID and native messaging hosts file.
  • Code signature validation makes sure the browser is properly signed on macOS and Windows. On Linux, 1Password verifies that the browser is an approved one and owned by root.
  • Secure inter-process communication means messages in transit between the 1Password app and extension are protected. Only you have the keys to access and decrypt your data.
  • You can choose to lock or unlock both the 1Password app and 1Password in the browser, and can configure the lock and unlock settings.

Protect yourself when using 1Password in your browser

The 1Password lock screen in a browser

  • Only enter your Master Password in the 1Password pop-up from your browser’s toolbar. Unless you are on 1Password.com, never enter your Master Password directly into a web page. 1Password will never ask for your Master Password in the inline menu that appears below form fields.
  • Make sure 1Password and your browser are up to date. Chrome and Firefox update themselves and browser extensions automatically, but you may need to restart your browser occasionally to receive updates.
  • Adjust how long it takes 1Password to lock automatically. Click the 1Password button in your toolbar. Then click and choose Settings.
  • Only use 1Password on trusted computers. 1Password is sandboxed from untrusted web pages, but it assumes that you trust your web browser and your other browser extensions. It stores your Secret Key in local storage and is not meant to be used on a public computer.
  • Limit your use of other browser extensions. A malicious or badly made browser extension could interfere with 1Password or attempt to expose your data. If you need to use untrusted extensions, consider using a separate browser profile just for 1Password.

Learn more

Published: