Below is my overall strategy, still needs polishing. I want for things to remain simple, and recoverable in case something happens to my device.
First passwords. Setup two passwords manager, Proton Pass for services, and Bitwarden for emails. Not much gained security wise, but it keeps me at peace.
PP password will be stored in BW, and BW password will be memorized.
After setup, export unencrypted .json files and import them to KeePassXC, within an encrypted storage device, updated every 3 months. The password will remain same as that of BW. Backup purposes only.
Now 2fa. Setup Ente Auth, with webview enabled, and store 2fa there, on a separate device which doesnât have password manager. The seeds (+ente plain text export) will be backed up in an SN account, with no 2fa whatsoever. This is the second password that needs to be memorized, both Ente and SN will have same passwords. Will be updated alongside BW.
To reduce friction, Iâm also thinking of just straight up exporting encrypted backups of BW and Ente, but then I will be bound to the respective apps. Not sure.
Issues:
Backups are insecure in case of breach. How to manage?
Password can be forgotten, and I detest writing things on paper due to my inability to secure it.
What about recovery codes that bypasses everything? How do I store them?
First of all, everyoneâs threat model and security model (at least perception) is diff. So, donât get me wrong but what you described : BW + PP + Ente Auth + SN, is very unnecessary from security point of view. Keeping high security standards, you could definitely simply things (memorize less things yourself) and reduce friction for every time you access your logins by using only 2 things, instead of 3 or 4 : Password manager and Authenticator of your choice.
For Logins :
I think you are using separate password manager to store emails and password to keep things away from each other so that the attacker, in highly unlikely scenario, will have to break two things before having full access. But, this is redundant in my opinion, you PP password and email is stored in BW - so ultimately, attacker would have to break only 1 thing - your BW password vault. Mind that password managers are hard to get into, if you use strong passwords.
Instead of using both BW + PP, use only one. If you are paranoid that someone may hit you in the head and access your password manager with your fingerprint or steal your device unlocked, you could salt your passwords - store long unique password in the password manager and complete them every time with something only you know in your head (e.g. : kmw#gsvcpVo^gF3jRfNc@TK7DR&E@oz3c5tSyXaSApVzFDyq + SOMETHING SIMPLE IN YOUR MIND (5XZU5gbnL4Vu) = kmw#gsvcpVo^gF3jRfNc@TK7DR&E@oz3c5tSyXaSApVzFDyq5XZU5gbnL4Vu). Keep the first (long) part of password for each login in the password manager unique, and donât add any info about second part in password manager. Every time you want to access the login, you will have to do some manual work of typing out the last part yourself.
You could pair any offline or e2ee online authenticator with it. I like ente auth. Again, if you are paranoid of someone having physical access to your device in unlocked state, have a system that only you can use. I am using a system of not storing any visible or deducible link of passwords and authenticator codes, in either of the apps that I use. Someone may call it dumb but here it is.
Service Name : __________
Login : mail-id@mailid.id
Password : RandomShit + SomethingOnlyYouKnow
TOTP : A number (like 29)
Ente Auth has many codes and none of them have any notes or service name attached to them. They are identified using just a number (like 0-100). Modify original number (here 29) in a way that only you know (like this example: 29 * 2 - 15 = 43) and store the TOTP for that service in the resultant (here 43) numbered code. Do not mention the scheme used to modify the original number to get the resultant number in the password manager. It is not hard to remember it and to do a little math calculation each time.
Ente auth account creds could be stored in password manager or could be memorized. I donât want to memorize a whole lot of things, so I store them in password manager. Online accounts of password manager and ente auth should have TOTP enabled but they complicate things as you need to store TOTP seeds somewhere in plain text or encrypted (one more password to remember now). I have ente auth account creds stored in my password manager, without password manager ente auth is useless. This solves email and password problem but, TOTP codes is still a problem. I have stored them in my ente auth account and also my wifeâs authenticator app under false numbers so that I could access them quickly (when I am already logged in). But, if I got signed out from every device I own, it could lock myself out forever. To avoid it, the TOTP seeds (with emails, passwords and recovery codes) of password manager and ente auth are also stored in plain text where I keep my backups for password manager and ente auth.
For Backup :
First of all write down everything you do so that in some emergency someone you trust could to access the system you created. Store your password manager & ente auth login info + their TOTP seed + Recovery codes in the same note. Also, attach the info on how you have created your backups, where are they stored and detailed info on how to access them in plain text. Manually encrypt the note (kryptor + openSSL) with ASCII armored so that you could send it to some you trust (spouse or family member). To encrypt this note, you could use a password they already know. I do this with my sister who lives almost thousand miles away and with my wife. We three have shared similar notes with each-other which could only be accessed by us three in some emergencies. Its highly unlikely that we three die on the same day on two different location.
Create manual backups of password manager and ente auth each month or at a frequency you are comfortable with, encrypted or unencrypted. Store them locally on a encrypted volume. I like to encrypt the zip of it using picocrypt, but again 1 more password to remember. I have stored it in password manager under a false name and that too, it is not complete there. Also, I have shared this password with my loved ones. You could use picocrypt encryption with just a keyfile. But, sharing a password is easy than keyfiles. Also keyfiles, if altered or deleted, could lock you out.
For storage of backups, I use macOS sparsebundle image where I donât delete past backup when I create new. This image grows in size as I add more things and is easy to upload on a cloud, as only the changed bits are uploaded under the cloud sync. Use 3-2-1 system to store your backups.
Doing so you need to memorize only 2 things : password manager credentials + short password to complete logins.
But each time you want to login somewhere, you have to do 2 things manually : type out extra short password yourself + a small mathematical calculation.
This increases the friction. But for me, I think I could handle that friction. I have now become familiarized with it.
Rest info is either in password manager or in notes which I could access when I am at home and is also shared with someone I trust to avoid âgot locked outâ situation. Just sharing my process a little bit, this is working for me and few others IK, no guarantee it will definitely work for others.
In my experience, overly complicated set upâs just for the sake of privacy or just because you can do it doesnât mean itâs a good idea.
Based on your very first sentence, simply stick with one highly reputable cloud based password manager like Proton Pass. Itâs the best and easiest way to manage your credentials and more. Your 2FA info can also be within it and so can any other important data. But if you really want to keep 2FA difference, use Ente Auth.
I personally find it silly when people have overly complicated solutions for problems that donât exist.
The only key is here to remember one or two credentials to get into your password manager and your Auth account with randomly generated strong passwords that youâre not using anywhere else and is not at all related to anything about you or your life. Thatâs it.
Credential management is not supposed to be this difficult and convoluted.
Those are my two cents. I hope you see and understand how I do.
Thatâs an additional thing to memorize, unfortunately. But I do realize the redundancy of two password managers.
My strategy also aimed at avoiding circular dependency, and as you mentioned without backups you would be locked out. The chicken-egg problem bothered me quite a bit as you should 2fa protect your password manager, but where would you store your backup seeds without memorizing a third password?
A much better approach I found which I shouldâve mentioned is that instead one could setup another Bitwarden account and designate that as a trusted emergency contact. One could store its login details on paper and set a long wait time for it to be able to access my vault. This way a family member can access your stuff in case something happens. 2fa still remains but you could store your local backup password in BW as well, but I guess if you donât have trust issues this is just additional friction.
But then how do I access my password manager without 2fa? Avoiding circular dependency is important in oneâs setup so that you donât get locked out.
One credential, and the whole 2fa setup becomes redundant because you just need to get compromised once. Backups are necessary as well.
You donât set up 2FA on your password manager. You make a strong password you remember.
If you want 2FA on every account including your 2FA app, thereâs no end to it.
I donât understand what part of needing to remember a strong randomly generated password for your password manager is the friction here with my exposition or your understanding of whatâs necessary or enough.
Listen, you do you as your threat model dictates. But on one of the accounts, you will have to let go of your 2FA and only safeguard it with your master password thatâs strong and only you know that you have memorized.
â
All this talk for overly complicated of a âproblemâ. Itâs supposed to be simple.
I very firmly disagree here. If your single password gets phished, keylogged or compromised in any way, itâs game over.
Even Bitwarden forced email 2fa on all of its customers despite the circularity it creates (as most have their email password saved on BW itself), and took on the additional customer service burden to disable that 2fa if turned on automatically in case one gets locked out. Even this flawed implementation was better than no 2fa at all.
Okay. Letâs say you add your 2FA to your password manager. And then you have to use your Auth account. And then you want to add 2FA to your auth account. To what end will you want to keep securing your accounts?
Will you then want to use your security key as your 2FA for your Auth account? And what if your security keys are compromised? What is this, what if that⊠to what end?
Where do you want to draw the line? How do you want to draw the line?
You speak on simplicity in your first sentence of your OP and here you are debating on overly convoluted OPSEC.
I donât know what youâre looking for but I donât think any answer you get here is going to satisfy your needs. And if your threat model really is this high, nothing this forum or even Privacy Guides can tell you to ensure your safety because it would be highly subjective and personal of an OPSEC. I then recommend you install KeePassXC on a USB and only use that on any device you want to use your password manager on then.
I have nothing more to add. You have my views and answers. Good luck to you.
And had you read beyond that first line, we wouldnât be debating this.
So PG and rest of the forum recommends not adding any 2fa to oneâs password manager? I think I struck a nerve here, so Iâll letâs just agree to disagree.
I believe ente auth stores totp seeds in plaintext .json in your home folder on linux. please correct me if im wrong, though thazs why i opted not to use ente auth
Update: I double checked now and reinstalled io.ente.auth appImg. It serms like the issue might have been fixed since I last checked. it used to be that ~/.local/share/io.ente.auth/shared_preferences.json would store unencrypted token seed, now It stores - I believe - encrypted keys. However I understand way too little of cryptography to assess wether it is sufficiently secured now. maybe someone who uses ente auth desktop on linux can confirm.
I also found an issue (from 2024) where also ios and windows user where complaining about unencrypted storing.
that audit just concerend the server, apps where out of scope.
again i might be wrong, but I did find that .json both when using appimg and flatpak ente auth on linux. and it persistet even when the app was closed.
but Iâm not competent enough to asses. there are some issues open on their github regarding this i believe, though though their github has an insane amount of open issues and discussions, alot due to people asking for a account restore lol
consider not always doing that tho, because you might need to type your routerâs wifi password once in a while
set yourself some reminders to rotate your passwords every X months (expiration)
add automatic backups there
store all recovery codes inside of your password manager
use FIDO2/Webauthn as an MFA-only (if possible) to login to all the websites
when I say MFA-only, I do recommend to avoid SMS, TOTP or any other âweakerâ authentication factor if they are not additive to (email + pwd + FIDO2 + biometrics is fine)
process of adding your Hardware Security keys (notice the plural) might be annoying to each website, but that one is the important backup that will give you peace of mind in case you lose one or alike
based on a higher threat model, consider carrying only a Biometric Yubikey with you (or at least one that requires some extra action rather than just touching it)
you can always hold the key to add a hardcoded salt somewhere in the middle of your password too
do not add fancy 3rd party extensions to your browser or password manager, go the old way of copy pasting from one app to the other (to reduce risks of clickjacking etc)
for when websites allow only some TOTP:
I do also recommend to have those codes on the Hardware Security itself rather than in an app on your phone
add some password before your TOTP code is shown (Yubico Authenticator allows for that for extra security but others might too )
Want to go even further? Require a Hardware Key to be required before accessing your laptop.
Best part? Some websites literally wonât bother you further than pressing the key to login. But if you want, you can add an additional PIN (can be letters/numbers) to those when logging in (on top of the press).
Realized that it was a bit longer than 2cts, got carried away.
TLDR: offline DB + hardware key + remember a long sentence (or/and share some hint to a family member in case you have an accident and lose memory).
For backups, do that when you can, encrypt it and try those backups to be sure that they are still working.
Delete old ones? Backup offsite? Plenty of things to say there too haha. Maybe buy a (sturdy) safe?
Interesing approach. certainly very sophisticated and I like the master keepass db approach. however I fail to see the need for cycling passwords every x month when you use alias mail and different pw for each. sounds cumbersome. i think good opsec should not only be proportionate but also convenient enough that you actually want to do it.
it is my view that biometrics are not suitable for high threat models. both state actors and criminals have shown in the pas that they can and will use force to get your biometrics. especially your fingerprint is trivial to get for a state actor. it might be better to use a decent hardware key with pin.
Thanks.
I agree that cycling is optional, depends on how critical some of your services are (mostly suggesting that because some websites only allow for some 16 characters max or alike, while being government/bank stuff).
The password will probably not be weakest link in all of this haha.
And yes, for the best convenience hardware key all day butâŠnot everybody has one or has the chance of using a website that allows for it.
Biometrics are a nice add-on on top of other MFA IMO, not the only go-to yes, so credentials + pin + biometrics yes.
You may be assisting clipboard attacks - rogue software on your device monitoring your clipboard events.
Password manager addons will reduce phishing attempts by not autofilling on the wrong pages.
KeepassXC does have that Auto Type feature in the docs (edit: link doesnât work due to escape sequences) but AutoType could be a lot to manage if one wants to enable all their accounts in this way.
There is a lot to my paragraph because itâs detailed but itâs not a complex setup in itself because:
no maintenance of any sort, no Vaultwarden Docker, DB or any sort of dependency, single file to worry, resilient af.
no need to remember to do things to keep it running, forgot a backup? itâs not critical you can still use your workflow as you did yesterday.
itâs a âset it up once and forgetâ kind of setup, no endless config files, company drama to catch up or migrations updates to schedule. See a website? Open the DB, paste credentials, press your hardware key, done
Or: just press the passkey and youâre in (rare but few services allow that)
Sprinkle with a PIN, if you feel like you need extra safety
itâs also centralized into 1 password manager, yet spread across your devices but without the need to worry where to create a new input and how (unlike OPâs question with PP/BW)
as a good practice, maybe consider creating/updating passwords only on 1 main safe device and let the updates flow to other devices (read-only)
simple mental model to understand too, you have a key for extra security just like to open your houseâs door
itâs in a safe place, with no need to worry about the battery
depending on your threat model, can also be plugged 24/7 into your device
There is a lot (because itâs the delicate topic of passwords) but itâs very friction-less and streamlined once youâre used to it.
There are definitely trade-offs Iâd say (eg: no easy passwords sharing), but not over-engineered IMO.
Fair point.
I mostly see the browser as an entry point to quite a lot of attack vectors, and browser extensions are pretty much a no-manâs land when it comes down to security. So, the less the better IMO.
Also better for anti-fingerprinting etc⊠but mostly 0 trust into that kind of store. I wish Obtainium could be used there to directly pull from Github. And even then, you can always get supply-chain attacks etcâŠso yeah, I just opt out from it whatsoever.
How do I do to avoid phishing?
I have the URL already in my browser history, no need to follow a link or search engine it.
Search shortcuts are also a blessing IMO like https://github.com/search?utf8=%E2%9C%93&q=%s&type=Users
I start my journey from my Keepass: forgot the name of that store that I visit every 6 months⊠I search with the description of it, click on the URL link saved into my DB and login from there
Use websites that requires a Hardware Security key, in case of me putting my email + password combo on some well-crafted website [1], I will still not be able to proceed further because itâs not linked to that specific website. If I get tricked, reset with a brand fresh email + password combo and move on. đ¶đ»ââïžââĄïž
If none of the above, check the URL carefully and feel free to copy-paste it into some local monospaced editor that will highlight any weird looking look-alike (Unicode) characters like lI (or more advanced tricks)
Remember where you are logged in. Most of the time, I know how long a given website will keep me logged and I have it always open as a group tab.
If something is getting through all of this and didnât trigger any suspicions from my side at all: WP, Iâll admit my loss willingly.
And yes, setting up URLs for every website is cumbersome and annoying. But you donât do that every week + is also a good start of a journey where you limit your digital footprint to only the websites that you care about/need.
I still feel my OPSEC with at least password management is better for almost all threat models. Iâve thought about it for years and I always end up coming back to this way of going about it and hence my recommendation above.
of copy pasting from one app to the other (to reduce risks of clickjacking etc)
)
hardware key all day butâŠnot everybody has one or has the chance of using a website that allows for it. 
I search with the description of it, click on the URL link saved into my DB and login from there