Suggestion: Expanding 1Password’s Quantum Security Readiness
Dear AgileBits Inc. team,
I recently read 1Password’s announcement about its first major milestone in post-quantum cryptography, including the deployment of hybrid post-quantum key exchange for the 1Password web app.
I appreciate that 1Password has already started taking action against “harvest now, decrypt later” risks by supporting X25519MLKEM768 for PQC-capable browsers such as Chrome and Firefox. It is reassuring to see that this protection works automatically without requiring users to change settings.
Since 1Password protects some of users’ most important digital assets, I would like to share a few suggestions on how 1Password could continue expanding its post-quantum readiness. These suggestions are divided into technical recommendations and user-facing feature recommendations.
1. Technical recommendations
Expand post-quantum protection beyond the web app
The current rollout for the 1Password web app is an important first step. As a next step, I hope 1Password can continue expanding post-quantum protection across more parts of the product and infrastructure.
Areas that would be especially valuable to address include:
- Vault synchronization across devices.
- Desktop and mobile apps.
- Browser extensions.
- Device enrollment and trusted device workflows.
- Password sharing and item-sharing mechanisms.
- Account recovery and emergency access flows.
- 1Password CLI and developer tools.
- App and browser extension update verification.
It would be helpful for users to understand which areas are already protected by post-quantum or hybrid cryptography, which areas are planned next, and which areas are still under evaluation.
Provide clearer visibility into the post-quantum roadmap
I appreciate that 1Password has described this deployment as the first phase of a broader post-quantum roadmap. As a user, I would welcome more visibility into that roadmap over time.
This does not need to expose sensitive implementation details. Even a high-level roadmap or periodic transparency update would be helpful, for example:
- Which product surfaces currently support post-quantum protection.
- Which platforms depend on browser or operating system support.
- Which areas are planned for future PQC expansion.
- Whether 1Password plans to use hybrid cryptography for more workflows.
- Whether future updates will include post-quantum protections for sharing, device trust, or recovery workflows.
This kind of communication would help users and business customers better understand 1Password’s long-term security direction.
Continue strengthening crypto-agility
Quantum-related standards and best practices may continue to evolve. For that reason, I hope 1Password continues to prioritize crypto-agility, so its cryptographic architecture can adapt as standards, algorithms, and implementation guidance change.
Important capabilities may include:
- Versioned vault formats with smooth upgrade paths.
- Replaceable key exchange and signature algorithms.
- Support for hybrid cryptographic modes during transition periods.
- Gradual cryptographic migration without affecting user data availability.
- Visibility for enterprise administrators into encryption versions and security posture.
This would allow 1Password to continue upgrading its protections over time without being constrained by older designs.
Strengthen long-term data protection and key rotation capabilities
Even with post-quantum protection for network traffic, long-term account security also depends on how credentials, shared items, and recovery mechanisms are managed over time.
I hope 1Password continues strengthening:
- Key rotation mechanisms.
- Vault re-encryption capabilities.
- Deprecation processes for older encryption formats.
- Key revocation after a device is lost or retired.
- Security updates after shared items are revoked.
- Rotation policies for highly sensitive items in enterprise environments.
These improvements would help protect users not only from future quantum-related threats, but also from everyday risks such as compromised devices, stale credentials, and over-shared secrets.
2. User-facing feature recommendations
Quantum security health check
Since post-quantum cryptography can be difficult for most users to understand, I suggest that 1Password introduce a “Quantum Security Health Check” or a similar feature that translates long-term security risks into clear, actionable guidance.
For example, this feature could check:
- Whether the account password is strong enough for long-term protection.
- Whether there are very old passwords that have not been changed for a long time.
- Whether high-risk accounts have enabled passkeys or MFA.
- Whether shared passwords have expired or have been shared with too many people.
- Whether important accounts still rely only on traditional passwords.
This would help users understand what they can personally improve, instead of viewing post-quantum security as something purely technical and invisible.
One-click password change and rotation reminders
Many users know they should change high-risk or long-standing passwords, but the process is often inconvenient. They need to sign in to a website, find the password settings page, generate a new password, save it, and confirm that the update was successful.
I suggest that 1Password make password rotation simpler and faster, for example by:
- Detecting passwords that have not been changed for a long time.
- Providing rotation reminders for high-risk accounts.
- Opening the correct password-change page for a website with one click.
- Automatically generating a new password that matches the website’s password rules.
- Helping save the new password and confirm that the update is complete.
- Providing clearer password-change recommendations for shared passwords, exposed passwords, or high-privilege accounts.
If password changes become easier, users will be more likely to rotate credentials regularly and take password hygiene more seriously. This is also relevant to long-term security, because stale credentials can become future security liabilities.
Passkey upgrade assistant
No matter how strong a password is, it can still be exposed through phishing, reuse, data breaches, or user error. Since 1Password already supports passkeys, I hope it can more actively guide users toward passkey adoption.
For example, 1Password could:
- Guide users through passkey setup.
- Identify important accounts that should be upgraded first.
- Remind users to pair passkeys with MFA or hardware security keys for sensitive accounts.
- Suggest passkey setup after a user strengthens or changes a password.
This would help users not only create stronger passwords, but also gradually reduce their dependence on traditional passwords.
Encourage quantum-ready strength when creating or changing the account password
The 1Password account password is one of the most important protections for the entire vault. When users create or change it, I suggest that 1Password provide clearer long-term security guidance.
For example, 1Password could encourage users to:
- Use a longer passphrase instead of a short password that is merely complex.
- Avoid common phrases, birthdays, names, or guessable information.
- Use a long password made from multiple random words.
- Display indicators such as “long-term security” or “quantum security readiness.”
- Clearly recommend a stronger password when the length or entropy is insufficient.
These reminders would help users make better choices at one of the most important security decision points. When a strong account password is combined with the Secret Key, device security, passkeys, and future post-quantum upgrades, the overall protection becomes much stronger.
I appreciate that 1Password has already taken a meaningful first step toward post-quantum security. My suggestion is to build on that progress by making the roadmap more visible, expanding protection to more product areas, and giving users practical tools to improve their own account security.
For users, the most valuable thing is not just knowing that post-quantum cryptography exists in the background, but being able to clearly understand:
- Which parts of my 1Password experience are already protected?
- Which accounts need to be upgraded first?
- How can I change passwords more quickly?
- Which accounts should move to passkeys?
- Is my account password strong enough for long-term protection?
If 1Password can turn these questions into clear, useful, and actionable features, I believe more users will feel confident in 1Password’s long-term security.
Thank you for your continued work. I look forward to seeing more progress from 1Password in post-quantum security and account protection.
