Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Re: ETH Zürich paper concerns
Researchers from ETH Zürich have https://ia.cr/2026/058 newly found weaknesses in a range of password managers, including 1Password. The paper includes the following quotes specifically about 1Password
1Password not only lacks authentication of public keys, but also of public-key ciphertexts. This affects not only the security of the credential-sharing feature, but also the confidentiality of the entire vault.
And
IMPACT. Complete compromise of vault confidentiality and integrity. The adversary can read and decrypt all vault contents encrypted after the attack, including passwords, creditcard information, secure notes, and other sensitive data stored in the vault. Similarly, they can inject new items into the vault after the attack.
While this sounds absolutely worrying, I know from experience that real-life danger is not always that imminent. Nevertheless, I once chose 1Password mostly for their proactive stance on security and communication about security.
My question then is: what is 1Password's reaction to this and do other readers have opinions as well?
1 Reply
- 1P_SimonH
Community Manager
Hi Towaway 👋
We appreciate the researchers’ work and the opportunity to examine these ideas closely. We conducted a thorough review of the paper and confirmed that it does not introduce any new attack vectors affecting 1Password beyond architectural considerations already documented in our Security Design White Paper.
The mitigations discussed relate to broader industry-wide challenges around key verification and server-mediated key distribution, which are areas we’ve openly documented and continue to evolve. We are committed to continually strengthening our security architecture and evaluating it against advanced threat models like this one.
For more detail, you can read our blog post on this research.
