Is 1Password preparing a report on lessons from the LastPass breach?

Hi VT1P, thanks for these questions. I can understand your concerns, and am happy to help.

First, there are a few basic principles that underpin our approach:

• We lean into privacy. This is partly a philosophical choice (privacy is good) but it also has security implications: if we don't have your information, we can't lose control of it in a breach.

• We rely on strong encryption - really strong encryption - to secure your data. This makes your data inaccessible to anyone who doesn't have your account password and Secret Key, including us.

But, to your point, that's only true if there isn't fine print attached to it, right? Like, if we only encrypt some of your items, or leave other aspects of your data unprotected, then it's not really as simple as "lean into privacy and rely on strong encryption." Fortunately, everything in your 1Password database - logins, secure notes, you name it - is all encrypted. Our colleague Zak goes into detail on this here.

When it comes to how your non-secret information is handled generally, and what we know and don't know about you, I can recommend our privacy primer. The most information-revealing thing a typical 1Password customer will do, when needed, is to send us diagnostics so that we can help with troubleshooting. Information on what's shared in those diagnostics is covered here.

Regarding our infrastructure, we rely on Amazon Web Services (and actually have a little-known public page for it!). While these are third-party servers, your information as always is encrypted end-to-end with keys that only you possess. We never have your account password or Secret Key, and thus have no ability to back them up anywhere.

I am still wondering if any similarities exist between LastPass's practices and 1Password's practices and, if yes, how 1Password is better protected than LastPass from a similar breach

This is a fair question. We share some similarities, in the sense that both companies use cloud services to sync encrypted data across devices, but a big (critical) difference-maker is the Secret Key. It just makes the math of breaking 1Password's encryption way, way more infeasible. I hesitate to comment further on Lastpass' specific situation other than to say that we've imposed substantially higher requirements on what we consider the secure encryption and handling of data to be.

However, our principle Security Architect, Jeffrey Goldberg, just wrote a blog post about the LastPass breach, and how our approach to encryption compares.

With that said, we understand that there's no such thing as absolute security. We'll be continually revisiting our security controls and assessing risks as they come up. If you're interested, @shaywood shared some insightful background earlier this month on what it would take to compromise our cryptography.

Further Reading

If you'd like to have a look at the fine-grained specifics of our implementation, the 1Password Security Design whitepaper can be found here. The "Beware the Leopard" section contains candid information on risk and the limits of our current approach.

Finally, I should mention that our apps and services are routinely audited by independent security firms (we had 6 such audits in 2022 alone). Those reports are also public.