The 1Password success story has an unusually honest origin. There was no grand vision. No market research. No pitch deck with a TAM slide.
Two developers were building websites for other people. They kept having to log into things. There were too many passwords. They were annoyed. So they built a tool to fix that, figured they’d spend a few weeks on it, and then go back to their real jobs.
The first hour it went live, someone bought it.
That sale changed everything. Not because $30 is life-changing money, but because it was proof. A stranger on the internet had found what they built, decided it solved a problem they had, and paid for it. No marketing. No sales call. No freemium tier to graduate from. Just a product and a purchase form and a problem that turned out to be universal.
Roustem Karimov and Dave Teare did not go back to their web consultancy. They went deeper into the thing that sold itself.
Two Families, One Side Project, Fourteen Years
The backstory here matters more than it usually gets credit for. Roustem had worked at Sony as a developer. Dave had worked at IBM Canada. In 2005 they were both running a small web development consultancy in Ottawa together, the kind of operation where you build things for clients and spend a lot of time logging into different systems, different clients, different tools, different environments.
The password problem was not abstract. It was their daily life. Managing dozens of credentials across different projects, different browsers, different devices. Weak passwords were a security risk. Reusing passwords was a security risk. Writing them down was ridiculous. The existing solutions were clunky.
Roustem built the first version in a few months. It was a Mac app, which made sense given that both founders were living in the Apple ecosystem and OS X was having a moment in the mid-2000s. Clean, fast, secure. It stored passwords behind a master password and autofilled them in the browser. That was the whole product.
They put a purchase form on the website. Someone bought it. Then someone else. Then more people. First-year revenue was around $80,000. Not retire-to-the-beach money, but enough to make a decision: drop the consultancy and build this full time.
What followed was not a blitz. It was a slow, quiet, enormously patient build. For years it was just the two of them plus their spouses, Sara Teare and Natalia Karimov, doing everything. Development. Customer support. Marketing. Making sure the web store stayed up. Roustem still remembers the 2 a.m. texts when the service went down. No on-call rotation. Just two founders and their phones and the anxiety that if this goes offline, revenue stops.
They lived lean. Ramen noodles, as Roustem described it. No investors. No external capital. No safety net beyond the revenue the product was generating. Every feature they shipped had to earn its keep because there was no VC check to paper over a bad quarter.
The customer feedback loop became the whole company. Users wrote in. Dave and Roustem read every message and shipped fixes and features. More features led to more downloads. More downloads led to more feedback. More feedback led to more late nights coding. That cycle ran for years and built something with a depth and polish that products funded on venture timelines rarely achieve.
The Decision That Sounds Obvious Now
In 2012, the team had grown to about 20 people. The company was profitable, growing steadily, and increasingly struggling to keep pace with what it had become. Dave Teare gave a talk at a conference where he was honest about something: he and Roustem were great at building product and terrible at the executive functions a growing company needed. They needed a CEO.
This is a harder admission than it sounds. The company was theirs. They had built it from scratch. They were eating their own cooking every day and it was working. Bringing in an outside executive feels like admitting failure in a culture that lionizes the founder-CEO. And finding the right person for a bootstrapped security company in Canada, with a culture built over years without outside influence, is genuinely hard.
Dave knew Jeff Shiner from his IBM days. He trusted him. Jeff had B2B experience. He understood the enterprise space in a way that the founders, who had always been consumer-first, did not. He joined in 2012.
By 2019, the team was at 174 people. Jeff had doubled the team, then doubled it again, then again. The infrastructure around the product that Dave and Roustem had never built, HR, finance, sales, had all come into existence around the core engineering culture. The product kept getting better. The customer base kept growing. The revenue kept compounding.
None of this required outside capital. They did it on customer money, which is the oldest and most sustainable growth model in existence.
Fourteen Years Before the First Check
In 2019, Accel invested $200M in a Series A round. It was the first outside capital 1Password had ever taken. The company was 14 years old.
Let that sit for a moment. Most software companies that raise a Series A are between 12 and 24 months old. 1Password raised its first institutional round at 14 years, with a business that was already profitable, already serving millions of consumers and tens of thousands of businesses, already with a product that had been refined across more platform launches and product iterations than most companies accomplish in a decade.
The Accel round was not a lifeline. It was an accelerant. The company had proven the product worked, proven the business model worked, and identified a specific opportunity they wanted capital to pursue: the enterprise market.
1Password had launched its Teams product in 2015, allowing passwords to be securely shared and managed across organizations. The product-market fit was real. Businesses were using 1Password not just as a consumer add-on that employees brought from home but as a deliberate security tool they were buying and deploying across their organizations. The Series A was the fuel to pour on that fire.
The $100M Series B followed in July 2021. The $620M Series C, the largest funding round in Canadian history, closed in January 2022 and valued the company at $6.8 billion. Ryan Reynolds, Robert Downey Jr., and Justin Timberlake were among the celebrity investors. CrowdStrike CEO George Kurtz, LinkedIn chairman Jeff Weiner, and General Motors CEO Mary Barra also participated. The celebrity names got coverage. The strategic names mattered more. CrowdStrike in particular was a signal about where 1Password was heading: deeper into enterprise security infrastructure.
The B2B Pivot That Wasn’t Really a Pivot
The word pivot implies a sharp change of direction. What 1Password did with businesses was more of an extension. The consumer product had always been the right product. Now they built a version that worked for companies.
The business case was straightforward. Remote work, distributed teams, and the explosion of SaaS tools had created a credential management problem at an organizational scale. The average company in 2020 was using dozens or hundreds of cloud applications. Every one of those applications needed credentials. Every employee had their own set. Shared credentials for tools used by multiple people were living in Slack messages and spreadsheets and sticky notes. This was a security disaster in slow motion.
1Password for Business gave IT and security teams visibility and control. Admins could see which employees had access to which applications. They could enforce strong password policies. They could deprovision departing employees instantly. They could give employees a secure way to share credentials within teams without those credentials ever being exposed in plaintext.
The land and expand motion played out naturally. Employees who already used 1Password personally recognized the experience. The product did not require an onboarding marathon. A new employee would be given access to the company vault and immediately have their relevant credentials without anyone copying them from a doc. The more employees that used it, the more tightly embedded it became in the organization’s daily operations.
By late 2023, over two-thirds of 1Password’s revenue was coming from business customers. By 2024, more than 75% of revenue was B2B. Revenue crossed $318M in 2024 and hit $400M ARR in October 2025, with 180,000 business customers and gross retention above 90%. IBM, Slack, Shopify, Datadog, Intercom, Snowflake. The enterprise customer list grew into a recognizable roster of the companies that care most about security and move fast enough to choose vendors on product quality rather than brand recognition.
The Security Architecture That Built the Trust
There’s a dimension of the 1Password success story that doesn’t get enough credit in business-focused writeups, and it’s the actual security design of the product.
Most password managers operate on a zero-knowledge architecture, meaning the company cannot decrypt your passwords even if it wanted to or was compelled to. 1Password does this. But it goes further with something called the Secret Key, a 128-bit key that is generated on your device and stored nowhere except places you control. The combination of your master password plus this Secret Key is required to decrypt your vault. 1Password does not have the Secret Key. Your device has it.
The practical consequence is that a breach of 1Password’s servers, which would contain only encrypted data, would yield nothing to an attacker without both your master password and your Secret Key. This is meaningfully stronger than a system where just a master password stands between an attacker and your credentials.
This design is not free. It creates complexity around account recovery. If you lose your Secret Key and your master password, 1Password cannot recover your account. There is no “forgot password” flow that ends with an email to your inbox. The security architecture is real and comes with real tradeoffs.
The decision to make that tradeoff in favor of genuine security, rather than building recovery options that would have softened the product’s security guarantees, is a values decision. One that cost them some customers who found the model too demanding but earned them a category of customer who needed to trust that no one, including the vendor, could access their data.
For enterprise security buyers, this distinction matters enormously. The question “can your employees access our passwords?” has to have an answer of no that is architectural, not just policy. 1Password built the architecture that makes that answer true.
From Password Manager to Extended Access Management
The most interesting strategic move of the last few years at 1Password is the bet on Extended Access Management, which they’ve been calling XAM.
The premise goes like this. The traditional scope of password management is credential storage. You keep passwords in a vault, autofill them when you need them, and generate new ones when you have to. This solved the 2005 problem.
The 2024 problem is different. Modern organizations have not just passwords but passkeys, API keys, developer secrets, OAuth tokens, shared service accounts, and dozens of SaaS applications that employees are using without IT’s knowledge. The scope of what needs to be secured has expanded well beyond passwords.
XAM is 1Password’s answer to that expansion. The pitch is securing every sign-in for every app on every device, including the apps IT doesn’t know about. The Trelica acquisition in early 2025 brought shadow IT discovery capabilities into the platform, letting security teams identify and manage applications that employees are using without authorization. The acquisition of Passage in 2022 deepened passkey infrastructure. The acquisition of SecretHub in 2021 added developer secrets management.
The strategic direction is clear. 1Password is not trying to remain a password manager. It is trying to become the access security layer for the modern enterprise: the system that governs who can get into what, across everything, in an era where “everything” includes devices you don’t own, applications you didn’t approve, and AI agents acting on behalf of employees without any human in the loop.
That last piece is genuinely new territory. AI agents making API calls on behalf of users create credential and access management problems that existing tooling is not built for. 1Password is positioning itself to be the infrastructure layer for that problem before it becomes the catastrophic security issue many expect it to become.
What the 1Password Success Story Is Actually About
Pull the mythology out and a few things are genuinely true.
They built a product that solved a problem they personally had, which is the most durable kind of product insight. Every user frustration they fixed was a frustration they understood from the inside.
They bootstrapped for 14 years. Not because they couldn’t raise money, but because the business didn’t need it and taking money creates obligations that can distort a product culture. The product that got to 14 years of profitable growth without outside capital is a product that was built to what customers would pay for, not to what investors would fund.
The enterprise pivot was really a natural extension, not a departure. The consumer product built the reputation and the distribution. The business product monetized what that reputation had earned. The same security culture that consumers trusted turned out to be exactly what enterprise security teams needed.
The security architecture was a genuine bet. Choosing a design that was harder to use in exchange for security guarantees that were actually credible cost them some customers and earned them the category of customer that makes a company’s reputation.
And 14 years of compounding product quality before taking their first dollar of outside capital means that by the time institutional capital arrived, the product was hard to replicate. Competitors with millions in VC funding couldn’t outbuild something that had been refined by two obsessive founders over more than a decade.
Two developers in Ottawa who were annoyed about passwords. A few months of coding. A purchase form. Someone bought it in the first hour.
Four hundred million dollars in annual recurring revenue, 19 years later.
Leave a Reply