How 1Password Works: An Interactive Explainer

Step 1: Create Your Account

ℹ️ This is a simulation, no actual account will be created

Email Address

Password

This password never leaves your device and is never stored by 1Password

What happens next?

1. A unique Secret Key is generated locally
2. Your password is combined with the Secret Key
3. Cryptographic keys are derived for encryption
4. Your account is ready to store encrypted data

Anatomy of Your Secret Key

Generated Secret Key

Important: Save this Secret Key securely. You'll need it to access your account.

Why the Secret Key Matters

Extra Entropy: Extra Entropy: Adds ~128 bits of randomness beyond your Account Password, significantly strengthening security

Device-Generated: Created locally on your device, never transmitted or stored by 1Password servers

Two-Factor Security: Even if someone knows your Account Password, they still need your Secret Key

Account Binding: Contains your unique account identifier, linking all your encrypted data

Step 2: Derive the Account Unlock Key

Key Derivation Process

Password

User Input

••••••••••••

+

Secret Key

Device Generated

A3-••••••-••••••

↓ PBKDF2

Account Unlock Key (AUK)

Derived via PBKDF2

Click "Derive Account Unlock Key" to generate

PBKDF2 Parameters: 650,000 iterations with random salt

This makes brute force attacks computationally expensive

Step 3: Generate Keysets and Your Personal Vault

The Full Account Creation Process

This step generates your complete key hierarchy and personal vault. Each encryption layer protects the next, creating 1Password's defense-in-depth security model.

Cryptographic Key Hierarchy

Account Unlock Key (AUK)

✓ Already derived from password + Secret Key

↓ encrypts

Keyset Access Key

Randomly generated 256-bit symmetric key

for encrypting asymmetric Master keys

...

↓ encrypts

Master Public Key

Randomly generated RSA-2048

for encrypting vault keys

...

+

Master Private Key

Randomly generated RSA-2048

for decrypting vault keys

...

↓ encrypts

Personal Vault Access Key

Randomly generated 256-bit symmetric key

for encrypting your actual data

...

Your account is created and encrypted locally, then sent to 1Password's servers for storage; they never see your encryption keys or plaintext data

Sent to Server:

• Email Address
• Account Password (encrypted with AUK)
• Private Key (encrypted with Keyset Access Key)
• Public Key (unencrypted, it's public)
• Vault Key (encrypted, with Public Key)
• Vault data (encrypted with Vault Key)

Never Leaves Your Device:

• Account Password
• Secret Key
• Account Unlock Key (AUK)
• Private Key
• Any unencrypted vault data

Step 4: Vault Item Encryption

Data Encryption in Action

Now let's see how your actual passwords and sensitive data get encrypted and stored. You'll see the actual encrypted bytes that would be stored in your vault.

Create a Sample Login Item

Title

Username

Password

URL

Notes

Encryption Process

1. Original Data (Plaintext)

Click "Encrypt & Store Item" to see data

2. Vault Key (AES-256)

The Vault Key encrypts your actual passwords and items. It's protected by the Master Keyset, creating a two-layer security system. Each vault has its own key.

Vault key will be shown here

↓ AES-256-GCM

3. Encrypted Data (Ciphertext)

Encrypted data will appear here

Step 5: Vault Item Decryption

Encrypted Vault Item

Ciphertext + Authentication Tag

↓ decrypted with

Vault Key

AES-256 symmetric key

↓ produces

Decrypted Data

Your original plaintext