Skip to content

SYSTEM Cited by 1 source

1Password

What it is

1Password is a commercial password manager — encrypted credential vault + browser plugin + mobile app — widely adopted as the shared-credential substrate for small-to-mid-size engineering orgs. Stores passwords, TOTP seeds, SSH keys, passkeys, and arbitrary secure notes; the vault is end-to-end encrypted with a user-held secret key combined with the account password.

Typical use in the orgs the wiki tracks:

  • Primary user password + MFA vault for individual engineers.
  • Shared vault for team- or company-level credentials that can't be federated through SSO — social accounts, non-SSO SaaS tools, legacy systems, emergency break-glass accounts.
  • Passkey store, increasingly, since 1Password added passkey sync.

Why it's on this wiki

1Password appears as the credential-store-of-record for accounts that fall outside the SSO/IdP regime — the legacy shared account surface. Fly.io's 2025-10-08 postmortem is the canonical wiki instance:

"Twitter had been a sort of legacy shared account for us, with credentials managed in 1Password and shared with our zoomer contractor. […] Which is why Kurt was in a position to pull credentials from 1Password and log in to members-x.com in response to an email from alerts-x.com." (Source: sources/2025-10-08-flyio-kurt-got-got)

The browser-plugin-as-phishing-guardrail property

1Password's browser plugin refuses to autofill a saved credential on a URL that doesn't match the domain the credential was saved against. This is a poor-man's origin check — the domain-matching rule approximates, behaviourally, what WebAuthn does cryptographically. The Fly.io postmortem explicitly names this as the control that would have caught the attack:

"The 1Password browser plugin would have noticed that 'members-x.com' wasn't an 'x.com' host." (Source: sources/2025-10-08-flyio-kurt-got-got)

The failure mode is manual retrieval — copy-password-to- clipboard, reveal-password, or pulling the credential via the desktop app — any of which routes around the plugin's domain-check. Kurt pulled the credential manually, pasted it into the lookalike, and the domain-check never got to run. See patterns/password-manager-as-phishing-guardrail for the pattern treatment.

Relationship to SSO

1Password is the fill-in-for-what-SSO-can't-cover. In Fly.io's stack:

The wiki-level lesson: 1Password is a stopgap, not a strategy. It's strictly weaker than phishing-resistant MFA behind an IdP. It earns its place by covering the long tail of accounts you can't get behind the IdP — but those accounts are exactly the ones the legacy-shared-account failure mode exploits. Minimise the 1Password-only surface; move as much as possible behind the IdP; use passkeys in 1Password where the target supports them.

Access-audit property

1Password logs who pulled which credential and when. In the Fly.io incident, this was the input to the containment step:

"Our immediate response was to audit all accesses to the login information in 1Password, to cut all access for anybody who'd recently pulled it; your worst-case assumption in a situation like this is that someone's endpoint has been owned up." (Source: sources/2025-10-08-flyio-kurt-got-got)

The audit log is the hinge on which the worst-case containment playbook pivots.

Seen in

  • Fly.io Kurt Got Got (2025-10-08) — canonical wiki instance. 1Password is Fly.io's shared-credential store for the Twitter account; the browser plugin's domain-check is named as the would-have-caught-it control, the manual-copy-paste failure mode is named as why it didn't, and the access log is named as the audit hinge for containment (sources/2025-10-08-flyio-kurt-got-got).
Last updated · 517 distilled / 1,221 read