I Finally Organized My 1Password. It Took an Afternoon.

10 min read
claude-code1passwordproductivityaisecurityworkflow

I have had 1Password for eight years. I had never once organized it.

Not metaphorically. My personal account had a single vault called "Private" with 494 items in it. Banking sat next to Instagram. Dev credentials from jobs I left years ago sat next to family travel logins. Eleven items titled "Google." Five items titled with the name of a staging environment I had not touched in a year. Four items titled, I wish I was making this up, "Login."

I fixed it in an afternoon with Claude Code.

This is the second time I have used a coding tool to organize something that is emphatically not code. First my Documents folder. Now my password manager. At some point this stops being a novelty and starts being a pattern.

Why It Got So Bad

Password managers are write-once-read-many. You save a credential when you create an account, and then for years you only retrieve it. You never go back. You never prune. You never rename.

Meanwhile your life keeps changing. You take a contract role, get a company email, save fifteen credentials under it, leave two years later, and never touch those items again. You start a handful of side projects, each of them needing an AWS account and a GitHub login, and you name them all, well, "AWS" and "GitHub," because in the moment you were not thinking about future-you trying to tell them apart.

Multiply by eight years and a long list of indie projects and you get 494 items. Eleven Googles. A few Instagrams, one of them a pet account. Credentials belonging to a traveling companion who came on a family trip in 2022 and whose visa-appointment login was apparently never deleted.

I had known this for a long time. Every time I searched 1Password and three "Google" results came up, I thought "I should fix that." I never did. The decisions were individually trivial and collectively too tedious to face.

The Setup

I opened Claude Code and described the problem in one paragraph. It asked three questions before touching anything:

  1. Scope. Personal account only, or also my work accounts?
  2. Vault structure. Did I want a proposal before any changes?
  3. Safety. Would I be okay with archive-only, never hard delete?

Good questions. All three became the operating rules for the session.

Then, unprompted, it wrote a metadata snapshot of all 527 items across all my vaults into my Obsidian second-brain directory and committed it to git. Not the passwords. Not the sensitive content. Just the structural information: IDs, titles, URLs, vault placement, timestamps. Enough to know what was where, so any reversal could be guided.

It also started an audit log file. Every mutation gets one line. Timestamp. Operation. Item ID. Before to After. Notes. 162 entries by the end of the session.

I did not ask for either of these. Claude Code proposed them, I said yes, and they became the safety rails the whole afternoon ran on.

Bucket One: The Obvious Duplicates

First pass. Find titles that appear more than once. Resolve which are true duplicates and which are legitimately different accounts.

Thirty-plus duplicate titles. We walked through them in a table.

True duplicates, same username same URL:

  • Ayo three times, all identical, all dated the same day. Triplicate. Keep one, archive two.
  • PS App twice, identical.
  • An old contractor login saved twice, identical.
  • Vivo twice, same CPF, same URL, two years apart. Keep the newer.

Multi-account, same service, different logins (not actually duplicates, just poor naming):

  • Eleven Googles, each a different email address.
  • Five items for the same service, scattered across personal use and a couple of staging environments.
  • A handful of GitHub accounts spread across different contexts.
  • Two bank accounts, one personal one business, same institution.

The insight was separating "duplicate" from "poorly named." The first group gets archived. The second group gets renamed using a Service ~ Context pattern that 1Password already handles gracefully. Google ~ Personal. GitHub ~ Work. Bank ~ PJ.

Eight items archived in the first batch, each logged, each recoverable from the 1Password Archive view indefinitely. Nothing lost.

Bucket Two: The Renames

Thirty-six renames. Ten minutes of CLI work I had procrastinated on for eight years.

The Service ~ Context convention did most of the heavy lifting. When you have four Instagram accounts, Instagram is useless. Instagram ~ Personal vs Instagram ~ Pet vs Instagram ~ Old Business is immediately searchable.

Same pattern applied across Google, GitHub, Heroku, Netlify, DigitalOcean, banks, Apple ID, Twilio, Payoneer, and more. Four generic "Login" items got renamed to the service they actually belonged to: Finnhub, Boticário, Twilio for Wishare, Apple ID for Helsky Labs.

Every rename got logged. Every rename is reversible by running op item edit --title with the old value.

Bucket Three: The Graveyard

This is the bucket that surprised me.

When Claude Code surfaced the duplicates, it also flagged three items that did not feel right:

  • A dev-tool account owned by an email that is not mine. That is a teammate from a job I left a while ago.
  • A visa-appointment entry for someone who came along on a family trip in 2022 and never needed it again.
  • A Google account signed in with an old Okta SSO from a contract that ended over a year ago.

Three items that should never have been in my vault. Certainly not today.

This is the part I would not have caught scrolling the list manually. It took pattern matching on emails, cross-referencing with jobs I no longer have, and noticing the Okta SSO signature to find them. Claude Code did the pattern matching in one pass. I confirmed each one. Archived.

Then I asked it to find everything else tied to that old contract and archive it in a batch. Eight items across Google, GitHub, Supabase, Cloudflare, SEMrush. Gone. Clean.

The Structure

Before the big sort, we needed vaults to sort into. I had one dev-adjacent vault with one lonely item in it, and everything else was crammed into Private.

We created four new vaults:

  • Dev / Helsky Labs — BookBit, BusyGuard, Censorr, Falavra, Gitography, Wishare, DropVox, TokenCentric
  • Dev / Infra — AWS, Cloudflare, Supabase, Netlify, Vercel, GitHub, DigitalOcean, Heroku
  • Dev / AI & APIs — Anthropic, OpenAI, Algolia, Twilio, SendGrid
  • Work — client and contract credentials that still live on the personal account

Each vault got a description and an icon. The slash in the name renders as a visual hierarchy in the 1Password app. Not real folders, but close enough.

The Dev Projects vault with its one lonely item got emptied and deleted.

The Sort

This was the part I did not want to do manually. 473 items left in Private. Each one needed a decision: does it move to one of the six new vaults, or does it stay?

Claude Code wrote a Python classifier. Rule-based, pattern-matching on title, username, URL, and category. Helsky product names routed to Helsky Labs. Infra keywords (AWS, Cloudflare, Vercel, and fifty others) routed to Infra. API service names routed to AI & APIs. Client and contract identifiers routed to Work.

The output was a markdown file dumped into my vault inbox. Grouped by destination. Every row had the title, username, URL, proposed destination, reason, and item ID. If I disagreed with a destination, I could edit the cell. If I wanted to archive instead of move, I could change Dev / Infra to ARCHIVE.

I reviewed it offline in Obsidian, which I prefer over scrolling long tables in a chat window. Agreed with everything. Saved.

Claude Code parsed my saved file and executed the moves. 103 of them.

98 succeeded. 5 failed.

The Bug That Saved Me

Here is where the honesty starts.

When an item in 1Password has a "Sign in with Google" or "Sign in with GitHub" field (the ones where you use OAuth instead of a password), the 1Password CLI cannot currently move or archive it. It throws a validation error: unsupported field type: ssoLogin.

I hit this bug six times in one session. Once on archiving an old Okta-linked entry. Five times on moving SSO-linked services: Render, Supabase, claude.ai, OpenAI, Mindbodyonline.

The first time it happened, I considered finding a workaround. Editing the item to strip the SSO field, moving it, then re-adding the field. Claude Code could have done that. It did not offer to.

Instead it flagged the failures in the audit log, told me clearly which items needed manual intervention, and moved on. "You will need to drag these in the 1Password app."

That is the right call. Rewriting item fields to work around a validator bug is exactly the kind of clever maneuver that could lose data silently. "We cannot do this automatically, so we will not" is a better answer than "we will try, with extra steps, and pray."

That restraint is invisible when it works. It is load-bearing when it matters.

What Made It Work

Same pattern as the Documents folder cleanup six weeks earlier. Three things.

The plan was explicit before execution. I did not say "organize my 1Password." I said: here is the structure I want, here are the vaults to create, here are the rules for what goes where. Every batch had a preview before running. Every destructive action had an approval gate.

The tool matched the task. op is a CLI. It lists, reads, edits, moves, archives. That was the entire operation set I needed. No scraping, no hacks. Claude Code was wrapping the CLI with classification logic and an audit log.

Archive, never delete. Every "archive" in this post is recoverable. Nothing was hard-deleted. If I change my mind about any of the 21 archived items, I can restore them from the 1Password Archive view. The audit log tells me exactly which ones and when.

Before and After

Before:

Private:       494 items  (banking + dev + work + streaming + family + forgotten jobs)
Dev Projects:    1 item   (abandoned)

After:

Private:              375 items
Dev / Helsky Labs:     36 items
Dev / Infra:           19 items
Dev / AI & APIs:       10 items
Work:                  33 items
Dev Projects:          deleted

119 items repositioned. 21 archived. 37 renamed. All logged.

The Uncomfortable Part

I have been building systems professionally for eleven years. Password manager organization is a five-hour problem I had avoided for eight. That is not a skill gap. That is a tedium gap.

Claude Code did not teach me anything I did not already know. I knew old-contract credentials should be gone. I knew "Google" was a bad name for eleven different accounts. I knew Dev / Helsky Labs should exist.

What it did was collapse the cost of acting on what I already knew. The classifier ran in four seconds. The proposal was ready for offline review five seconds later. The batch move took three minutes.

Every decision was still mine. The tedium was not.

My Documents folder got the same treatment six weeks ago. My emails got it two weeks ago. My second-brain got it last year. The pattern keeps working because the pattern is not about AI intelligence. It is about removing the friction between "I know what to do" and "it is done."

The next time someone tells you AI is overhyped, ask them the last time they cleaned up their 1Password.