Choose 1Password if you want the password manager that survived its breach with zero vault exposure, thanks to its Secret Key architecture and strict zero-knowledge boundaries. Choose LastPass if cost is your priority, but know that its 2022 breach led to actual credential exposure for some users after attackers cracked master password hashes. Both services experienced security incidents, but 1Password’s architectural decisions contained the damage far more effectively.
LastPass Breach History
LastPass has experienced multiple security incidents over the years, with the most significant breaches occurring in 2022 and 2023. Understanding these incidents reveals important details about how password manager security works under pressure.
The 2022 Breach
In August 2022, LastPass disclosed a breach where attackers gained access to a DevOps engineer’s computer. The attacker installed a keylogger on the engineer’s device, capturing the master password when the employee authenticated to their LastPass account. With this master password, the attacker accessed the employee’s vault and encrypted backup data.
The critical security architecture detail here involves LastPass’s encryption scheme. LastPass used AES-256 encryption for vault data, but the encryption key derivation relied on a relatively limited number of iterations for the key derivation function. While technically compliant with standards at the time, this choice meant that once the master password was compromised along with the encrypted vault, offline brute-force attacks became feasible.
The 2023 Follow-up Attacks
The 2022 breach had longer-lasting consequences than initially disclosed. In 2023, attackers exploited the previously stolen data, attempting to crack the encrypted master passwords. LastPass confirmed that some password hashes were successfully cracked, leading to the exposure of certain users’ vault contents including website credentials and secure notes.
The company’s response included implementing additional security measures such as increased iteration counts for key derivation and enhanced monitoring. However, the incident raised questions about whether the initial architecture had been conservative enough given the sensitivity of data being protected.
1Password’s Breach Experience
1Password experienced a security incident in 2023, though the nature and outcome differed markedly from LastPass’s experience.
The 2023 1Password Incident
In September 2023, 1Password disclosed that a sophisticated attacker had compromised an employee’s credentials and gained limited access to an internal administrative system. The attacker obtained a service account that provided read-only access to certain user data including email addresses, account names, and membership information.
What distinguished this incident was the architectural separation that prevented the attacker from accessing vault contents or master passwords. 1Password’s systems are designed with a security boundary where administrative systems cannot access encrypted vault data. The service account that was compromised lacked permissions to decrypt user vaults or obtain cryptographic keys.
Technical Response and Transparency
1Password published a detailed technical post-mortem explaining exactly what was accessed and what remained protected. The company demonstrated that their zero-knowledge architecture functioned as designed—the attacker could not access the most sensitive data despite successfully penetrating part of the infrastructure.
Security Architecture Comparison
The different outcomes stem from fundamental architectural choices both companies made.
Encryption Key Derivation
Both services use AES-256 for encryption, but their key derivation approaches differ:
# Simplified concept of key derivation
# LastPass (pre-2022): 100,000 iterations
# LastPass (post-2023): 600,000+ iterations
# 1Password (current): 1,000,000+ iterations with PBKDF2-HMAC-SHA256
The iteration count matters because it directly affects how long an attacker would take to brute-force a compromised master password. Higher iteration counts slow down both legitimate authentication and attacks proportionally.
Zero-Knowledge Architecture
1Password’s security model maintains strict separation between what the server knows and what can be decrypted:
- The server stores encrypted vault data but never possesses decryption keys
- Master passwords never leave the user’s device
- Even administrative access provides no path to vault contents
LastPass also maintains a zero-knowledge model, though the 2022 breach demonstrated that master password compromise creates significant risk when combined with encrypted vault theft.
Secret Key Implementation
1Password introduced the Secret Key as an additional security layer:
# When setting up 1Password, you receive a Secret Key
# Format example: A3B4-C5D6-E7F8-G9H0
# This key is combined with your master password locally
# Never transmitted, never stored on servers
This Secret Key means that even if your master password were somehow compromised, attackers would still need the Secret Key—which exists only on your enrolled devices—to access vault data.
What Developers Should Consider
For developers and power users evaluating these tools, several practical considerations emerge from the breach histories.
Credential Management in Applications
When building applications that integrate with password managers, understand what data remains protected:
// Example: What 1Password's Connect API can access
// The API server holds encryption keys for vault access
// but user master passwords remain client-side only
const { Connect } = require('@1password/connect');
const op = Connect('https://your-connect-server');
// Only retrieves what the vault explicitly shares
const secret = await op.getItem('api-key', 'Development');
The key insight is that integration architecture determines what data flows through your systems. Minimizing the exposure of sensitive credentials during application operations remains the developer’s responsibility.
Incident Response Capability
Both companies demonstrated different incident response capabilities:
| Aspect | 1Password | LastPass |
|---|---|---|
| Time to disclosure | ~2 weeks | ~4 months (initial) |
| Technical transparency | Detailed post-mortem | Summary-level updates |
| Architectural changes | Secret Key addition | Iteration count increases |
| User notification | Direct email | Blog post + email |
For organizations with compliance requirements, documentation and notification timelines may factor into vendor selection.
Migration Considerations
If you’re moving between password managers, understand the migration security implications:
# 1Password export format is encrypted by default
op export --vault "Personal" --format json --output backup.json
# LastPass provides various export options
# Always encrypt exports immediately after migration
Never store exported vault data in plain text, regardless of which platform you’re using.
Recommendations for Developers
Based on the breach histories, several practices strengthen your security posture:
Use Secret Key functionality if your password manager offers it. This additional factor protects against master password compromise scenarios.
Enable two-factor authentication on your password manager account. Hardware tokens like YubiKeys provide the strongest second factor.
Review vault access regularly and remove items you no longer need. Smaller vault sizes reduce the blast radius of any potential compromise.
Consider compartmentalization for high-value credentials. Some developers maintain separate vaults for work and personal use, or use different password managers for different sensitivity levels.
Monitor account activity for both services. Both platforms provide login history and device management features that can alert you to unauthorized access attempts.
Conclusion
Both 1Password and LastPass experienced security breaches, but the outcomes differed significantly due to architectural decisions made before those incidents occurred. 1Password’s Secret Key implementation and stricter zero-knowledge boundaries limited the damage of their 2023 breach. LastPass’s breach resulted in actual credential exposure for some users, prompting substantial architectural changes.
For developers and power users, the practical takeaway involves understanding that no system is invulnerable. What matters is how a service is designed to contain breaches and protect the most sensitive data. The architectural decisions that protected 1Password users were made years before their incident—demonstrating that security investments pay dividends when incidents occur.
Evaluate password managers based on their worst-case scenarios rather than marketing claims. The breach histories provide concrete data for that evaluation, even though both services remain popular and actively maintained.
Related Reading
Built by theluckystrike — More at zovo.one