1Password
Password manager and secure wallet
1Password — Official Website
Quick Take: 1Password
1Password remains the best password manager for developers and security-conscious professionals in 2026. The dual-key encryption, SSH agent, CLI with secret references, and Watchtower monitoring put it ahead of competitors on both security and developer workflow integration. The family plan is excellent value. Travel Mode is unique and genuinely useful. The two real criticisms: no free tier (Bitwarden exists and is good), and the Electron-based 1Password 8 is heavier than the old native app. For professional developers who work with SSH keys, API credentials, and team secrets, 1Password isn't just a password manager — it's security infrastructure.
Best For
- •Developers who want SSH agent integration and CLI secret management
- •Families who need shared vaults with individual privacy
- •Business travelers who need Travel Mode for border crossings
- •Teams that need centralized credential management with audit logs
- •Security-conscious professionals who want the strongest encryption architecture
What is 1Password?
1Password is a password manager from AgileBits that stores your passwords, API keys, credit cards, SSH keys, and secure notes in encrypted vaults. You remember one master password; 1Password remembers everything else. What separates 1Password from competitors is its security model. Your data is encrypted with two keys: your master password and a 128-bit Secret Key generated when you create your account. Both are required to decrypt your vault, and neither is stored on 1Password's servers. This means even if 1Password suffers a breach (which they haven't, but security is about planning for the worst), attackers get encrypted data they can't read because they don't have your Secret Key. This is a meaningful architectural advantage over competitors that rely solely on a master password. For developers, 1Password has become more than a password manager. The SSH agent stores your SSH keys in the vault and signs Git commits without exposing private keys on disk. The CLI (`op`) injects secrets into shell commands, environment variables, and config files. CI/CD integration through 1Password Connect provides secrets to pipelines without hardcoding them. These developer features have turned 1Password from 'that password app' into actual security infrastructure. 1Password 8, the current version, is built on Electron — which is the main complaint from long-time Mac users. The previous version (1Password 7) was a native macOS app that felt fast and native. 1Password 8 is cross-platform and feature-rich but noticeably heavier. AgileBits has optimized it significantly since launch, and on modern Macs it runs fine, but the 'it's an Electron app' criticism has stuck. The pricing: Individual ($3.99/month billed annually), Families ($5.99/month for 5 users billed annually), Teams Starter Pack ($19.95/month flat for up to 10), Business ($7.99/user/month). No free tier — there's a 14-day trial. Bitwarden is the obvious free alternative, but 1Password's polish, developer features, and Watchtower security monitoring justify the cost for most professional users.
Install with Homebrew
brew install --cask 1passwordDeep Dive: 1Password for Developers
How 1Password evolved from a password manager into developer security infrastructure.
History & Background
1Password launched in 2006 as a Mac-only password manager. For over a decade, it was known primarily as a consumer product — the polished, Apple-like alternative to LastPass. The pivot toward developers started around 2021 with the SSH agent and CLI tools. By 2026, the developer features have become a major differentiator: SSH key management, secret references for config files, CI/CD integration through Connect, and Git commit signing. This repositioning has made 1Password relevant to engineering teams, not just end users.
How It Works
The security model centers on zero-knowledge encryption. Your vault is encrypted with a key derived from your master password + Secret Key using PBKDF2 with 650,000 iterations (as of 2026). The encrypted data syncs to 1Password's servers, but the decryption keys never leave your devices. The SSH agent runs as a local process that holds decrypted keys in memory (never on disk) and presents them to SSH clients when you approve via Touch ID. The CLI resolves secret references by contacting the local 1Password app (or Connect server) at runtime, injecting plaintext values into the environment only for the duration of the command.
Ecosystem & Integrations
1Password integrates with the developer toolchain at multiple points. The SSH agent works with any SSH client, including git. The CLI integrates with shell scripts, Docker, and orchestration tools. Connect provides an API for CI/CD systems (GitHub Actions, GitLab CI, Jenkins). VS Code and JetBrains plugins offer in-editor secret lookups. Tower (Git GUI) integrates with 1Password's SSH agent natively. The Terraform provider manages 1Password items as infrastructure-as-code.
Future Development
AgileBits continues to expand developer features. Recent additions include Developer Watchtower (scanning local SSH directories for insecure keys), expanded passkey management, and improved secret reference syntax. The company is also working on performance optimizations for the Electron app and deeper integrations with identity providers for business customers.
Key Features
Watchtower
Watchtower is 1Password's security dashboard. It continuously scans your saved logins and flags weak passwords, reused passwords, and credentials found in known data breaches (checked against Have I Been Pwned). It also identifies accounts where you haven't enabled two-factor authentication and sites that now support passkeys. This isn't a one-time audit — it runs continuously and updates as new breaches are disclosed. The actionable part: click any flagged item, and 1Password takes you to the site to change your password, pre-filling a new generated one.
SSH Agent
1Password can act as your SSH agent. Store SSH keys in your vault, and 1Password handles key presentation when you ssh into servers or push to GitHub. Keys never exist as files on disk — they're decrypted in memory only when needed, authenticated via Touch ID or your master password. You can configure which keys are used for which hosts in an agent.toml config file. For developers, this means no more ~/.ssh/id_rsa files sitting unencrypted on your laptop. Git commit signing works through the same mechanism.
CLI and Secret References
The `op` CLI lets you read vault items from the command line. More usefully, secret references let you embed vault paths in config files and environment variables: `export DATABASE_URL="op://Development/PostgreSQL/url"`. When you run `op run -- your-command`, 1Password resolves the references and injects the actual secrets as environment variables. No more .env files with plaintext credentials. For CI/CD, 1Password Connect provides an API that pipelines can call to fetch secrets at runtime.
Passkey Support
1Password fully supports passkeys — creating, storing, and using them across all your devices. When a site supports passkeys, 1Password offers to create one during registration. Future logins use Touch ID or Face ID instead of a password. Passkeys are phishing-resistant (they don't work on fake sites) and synced across all your 1Password devices. As more sites adopt passkeys throughout 2026, 1Password is positioned to manage both your legacy passwords and your new passkeys in one place.
Travel Mode
Travel Mode is a feature nobody else has. Before crossing a border, toggle Travel Mode on from 1Password.com. All vaults not marked 'Safe for Travel' are removed from your devices — not hidden, removed. If border agents inspect your phone or laptop, there's nothing to find. Your employer's API keys, your personal documents, your client credentials — all gone from the device. When you arrive and toggle Travel Mode off, everything syncs back. This is genuinely useful for anyone who crosses borders with sensitive data on their devices.
Family Sharing and Recovery
The Families plan ($5.99/month for 5 users billed annually) lets you create shared vaults for household passwords (Netflix, Wi-Fi, utilities) while keeping personal vaults private. The family organizer can recover accounts for other members — useful when a kid forgets their master password. You can share individual items via secure, expiring links with people who don't have 1Password. The family plan is one of 1Password's strongest value propositions: approximately $1.20/person/month for the whole household's password security.
Browser Extension and Autofill
1Password's browser extension (Safari, Chrome, Firefox) handles autofill for passwords, credit cards, and addresses. It detects login forms and offers to fill or save credentials. The extension connects to the desktop app, so unlocking the app with Touch ID unlocks the extension too. The autofill includes a phishing protection feature: 1Password only fills credentials when the URL matches the saved login. If you land on a lookalike phishing site, 1Password won't autofill — a visual cue that something is wrong.
Business and Team Features
The Business plan adds custom groups and roles, vault access policies, activity logs, SCIM provisioning (auto-create/deactivate accounts from your identity provider), and integration with Slack, Splunk, and other tools. Business users get a free Families plan for their personal use. For IT admins, the admin console provides visibility into team security posture through Watchtower for Teams — see which team members have weak or reused passwords without seeing the passwords themselves.
Who Should Use 1Password?
1The Developer
A backend developer stores SSH keys, API tokens, database credentials, and service account passwords in 1Password. Their SSH agent is configured to use 1Password, so `git push` authenticates via Touch ID — no key files on disk. Development environment secrets use `op run` with secret references, so .env files contain vault paths instead of plaintext credentials. When they onboard a new team member, the team lead shares the development vault — instant access to all development credentials without sending passwords over Slack.
2The Family Manager
A parent manages passwords for a family of four. A shared 'Household' vault contains streaming services, Wi-Fi passwords, utility account logins, and the school portal. Each family member has a personal vault for their own accounts. When their teenager forgets a password, the parent can help through the family recovery feature. The parent's Watchtower catches that their partner is reusing the same password on 12 sites and helps them fix it. Total cost: $5.99/month for the whole family.
3The Business Traveler
A consultant who crosses international borders frequently carries a laptop with client credentials, internal tools, and sensitive documents. Before each trip, they enable Travel Mode. All vaults except 'Travel Safe' (containing airline logins and hotel credentials) are removed from their devices. If their laptop is inspected at customs, there's nothing sensitive to find. After clearing customs, they turn off Travel Mode and everything syncs back within minutes.
How to Install 1Password on Mac
1Password installs via Homebrew, direct download from 1password.com, or the Mac App Store.
Install via Homebrew
Run: brew install --cask 1password. This installs the 1Password desktop app. For the CLI, also run: brew install 1password-cli.
Create or Sign In to Your Account
Open 1Password. Either create a new account (you'll get a Secret Key — save your Emergency Kit immediately) or sign in with your existing account's email, Secret Key, and master password.
Install the Browser Extension
Go to 1Password > Settings > Browsers and install the extension for Safari, Chrome, or Firefox. The extension connects to the desktop app for authentication — unlock the app with Touch ID, and the extension unlocks too.
Enable Touch ID
1Password > Settings > Security > Touch ID. This lets you unlock with your fingerprint instead of typing your master password every time. You'll still need the master password after a restart or after 14 days.
Pro Tips
- • Print your Emergency Kit (contains your Secret Key) and store it somewhere physically secure. If you lose your Secret Key and all your devices, your data is unrecoverable.
- • Install the CLI (brew install 1password-cli) if you're a developer — the `op` command and SSH agent features are worth setting up.
- • Enable 'Integrate with 1Password CLI' in the desktop app settings to link the CLI to the desktop app for biometric authentication.
- • Import from your old password manager (LastPass, Bitwarden, Chrome) using 1Password's import tool: 1Password > File > Import.
Configuration Tips
Set Up the SSH Agent
1Password > Settings > Developer > SSH Agent: turn it on. Add your SSH keys to your vault (or let 1Password generate new ones). Add `IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"` to your ~/.ssh/config. Now ssh and git commands authenticate through 1Password with Touch ID. No more key files on disk.
Configure Secret References for Development
Instead of .env files with plaintext secrets, use 1Password secret references. Create a .env file with entries like `DATABASE_URL=op://Development/PostgreSQL/url`. Run your app with `op run -- npm start`. 1Password resolves the references at runtime. Share the .env file freely — it contains vault paths, not secrets.
Set Up Travel Mode Vaults
Before your first trip, go to 1Password.com > Vaults. Mark each vault as 'Safe for Travel' or not. Create a 'Travel' vault for airline, hotel, and transit credentials. When you toggle Travel Mode on, only 'Safe for Travel' vaults remain on your devices. Practice this once at home before relying on it at a border.
Customize Watchtower Alerts
1Password > Watchtower shows your security score. Address critical items first: compromised passwords (found in breaches), then reused passwords, then weak passwords. Enable passkeys on sites that support them — Watchtower identifies these. Set a quarterly reminder to check Watchtower and clean up flagged items.
Alternatives to 1Password
1Password competes in a crowded market. The main alternatives make different tradeoffs between price, features, and openness.
Bitwarden
Bitwarden is open-source and has a generous free tier (unlimited passwords, unlimited devices). The paid plan ($10/year) adds TOTP, file attachments, emergency access, and advanced security features. Bitwarden is the clear choice for budget-conscious users and open-source advocates. 1Password is more polished, has better developer features (SSH agent, CLI, secret references), and Watchtower is more proactive. If $36/year matters to you, Bitwarden is excellent. If developer features and polish matter, 1Password is worth the premium.
Apple Keychain
Apple's built-in password manager is free, integrates with Safari and system autofill, and now supports passkeys. It's gotten much better in recent macOS versions. For users who only use Apple devices and Safari, Keychain is a viable free option. 1Password wins on cross-platform support (Windows, Linux, Android), developer features, shared vaults, Watchtower monitoring, and the ability to store more than just passwords (API keys, secure notes, documents).
Dashlane
Dashlane offers similar features to 1Password (password management, breach monitoring, VPN) at a comparable price. Its dark web monitoring is slightly more detailed than Watchtower. 1Password's developer features, Travel Mode, and family plan pricing give it an edge. Dashlane is a fine choice; 1Password is better for technical users.
Pricing
Individual: $3.99/month ($47.88 billed annually). Includes unlimited passwords, 1GB document storage, Watchtower, Travel Mode, and all apps. Families: $5.99/month ($71.88 billed annually) for up to 5 users. Everything in Individual, plus shared vaults and family recovery. Teams Starter Pack: $19.95/month flat for up to 10 users. Business: $7.99/user/month (billed annually). Adds custom roles, SCIM provisioning, activity logs, and free Families plan for each user. Enterprise: Custom pricing with dedicated support and advanced compliance features. 14-day free trial on all plans. No permanent free tier — this is 1Password's most common criticism.
Pros
- ✓Dual-key encryption (master password + Secret Key) provides best-in-class security architecture
- ✓SSH agent replaces key files on disk with Touch ID-authenticated signing
- ✓CLI and secret references eliminate plaintext credentials in development workflows
- ✓Watchtower continuously monitors for breaches, weak passwords, and missing 2FA
- ✓Travel Mode removes sensitive vaults from devices during border crossings
- ✓Family plan is excellent value ($1/person/month) with shared vaults and recovery
- ✓Passkey support is comprehensive across all platforms
- ✓Browser extension with phishing-resistant autofill (URL matching)
- ✓Business features include SCIM, activity logs, and team Watchtower
Cons
- ✗No free tier — Bitwarden is free and open source
- ✗1Password 8 is Electron-based — heavier than the native 1Password 7 was
- ✗Secret Key is critical to save — lose it and lose access to your account
- ✗Higher cost than Bitwarden ($47.88/year vs $10/year for individual)
- ✗No direct phone support — email and community forums only
- ✗The Electron decision disappointed long-time Mac users who valued native performance
- ✗Business plan pricing gets expensive for large teams ($7.99/user/month)
Community & Support
1Password has an active community forum (1password.community) where users ask questions and AgileBits staff respond directly. The developer documentation at developer.1password.com is thorough, covering SSH agent setup, CLI usage, Connect server deployment, and secret reference syntax. Support is email-based with a 24/7 chatbot for common questions; there's no phone support. The subreddit r/1Password is active but smaller than competing password manager communities. AgileBits publishes a security blog and participates in regular third-party security audits. The company's track record on security is clean — no breaches, transparent about their architecture, and responsive to security researchers.
Video Tutorials
Getting Started with 1Password
More Tutorials
How to use 1Password 2026 | The Only 1Password Tutorial & Review You’ll Need! 🔥
VPNpro • 48.1K views
1Password Tutorial (2025) | Step-by-Step Beginners Guide
MinorCo • 25.7K views
Use the 1Password extension to save and fill passwords on your Mac
1Password • 93.2K views
Frequently Asked Questions about 1Password
Our Verdict
1Password remains the best password manager for developers and security-conscious professionals in 2026. The dual-key encryption, SSH agent, CLI with secret references, and Watchtower monitoring put it ahead of competitors on both security and developer workflow integration. The family plan is excellent value. Travel Mode is unique and genuinely useful. The two real criticisms: no free tier (Bitwarden exists and is good), and the Electron-based 1Password 8 is heavier than the old native app. For professional developers who work with SSH keys, API credentials, and team secrets, 1Password isn't just a password manager — it's security infrastructure.
About the Author
Related Technologies & Concepts
Related Topics
Developer Security Tools
Tools for managing secrets, SSH keys, and credentials in development workflows.
Sources & References
Fact-CheckedLast verified: May 6, 2026
Key Verified Facts
- 1Password uses dual-key encryption with a master password and a 128-bit Secret Key.[cite-9]
- 1Password offers a Travel Mode feature that removes sensitive vaults from devices.[cite-8]
- 11Password Official Website
Accessed May 6, 2026
- 21Password Travel Mode Documentation
Accessed May 6, 2026
- 31Password Security Model
Accessed May 6, 2026
Research queries: 1Password Mac 2026 developer features SSH agent review