Managing logins doesn’t have to be complicated. I use Bitwarden to securely store credentials and 2FAS for multi-factor authentication, keeping accounts protected and easy to access. This setup strikes a balance between convenience and strong security for everyday use.
Why Use a Password Manager?
In today’s digital age, nearly every service requires a unique login. Relying on the same username and password across multiple platforms is a recipe for disaster, as a breach on one service could compromise all accounts sharing those credentials. A password manager helps address this issue by securely storing unique logins for every account, eliminating the need to memorize dozens of passwords.
When generating passwords, I strongly recommend passphrases over randomized strings. Passphrases are easier to type, especially on devices like printers that may not allow copy-pasting. Of course, the passphrases should be strong enough—somewhat long (at least three words), and include one number, a capital letter, and a special character. Randomized passwords might be more secure in theory, but the practicality of passphrases often makes them a better choice for day-to-day use.
Passkeys are also worth mentioning. These are designed to eliminate the need for passwords entirely by relying on public-key cryptography. While great in theory, passkeys face challenges in practice. Services offering passkey support often still treat passwords as the primary option for access, with passkeys serving as an additional layer. Syncing passkeys across platforms (Mac, Windows, Android, iOS) can also be inconsistent, and not all services currently support them, limiting their usefulness.
Why Use MFA?
Passwords alone are not sufficient for securing accounts. Multi-factor authentication adds an additional layer of security by requiring something you know (password), something you have (a device or token), or something you are (biometrics). Common MFA methods include:
- Hardware tokens, such as YubiKey.
- Email or SMS codes (though SMS is considered insecure due to SIM-swapping attacks).
- Authenticator apps, such as Duo Mobile, Authy, and 2FAS.
SMS and email authentication are widely used but come with significant vulnerabilities. SMS-based MFA is particularly insecure due to risks like SIM-swapping attacks, where attackers gain control of your phone number to intercept codes. Email authentication, while slightly more secure, can be compromised if the associated email account is breached. Despite these weaknesses, many banks still force or only offer SMS as a second factor. This reliance on SMS is likely due to concerns about non-tech-savvy users struggling to recover their accounts if they switched to authenticator app-only solutions, which could increase customer service burdens and operational challenges for the banks. Chase is one of the few banks that allows hardware tokens for MFA, but it still does not support authenticator apps, leaving room for improvement in balancing security and accessibility.
Authenticator apps provide a convenient and secure way to generate one-time passwords, making them a strong choice for most threat models. They are not tied to your phone number or email and generate time-based one-time passwords (TOTP) that are stored locally. This makes them resistant to phishing and remote attacks. However, they require secure backup solutions to avoid losing access if your device is lost or damaged.
Hardware tokens, such as YubiKeys, are often the preferred option in cases where security is of utmost importance. These physical devices generate unique codes or use cryptographic keys, offering unparalleled protection against phishing and other attacks. While they are highly secure, their cost and the need to carry a physical device can make them impractical for some users. Each MFA method has its trade-offs, but for most users, an authenticator app strikes the right balance between security and convenience.
Bitwarden: My Password Manager of Choice
I’ve tried 1Password and LastPass in the past, but they never felt right for me. Bitwarden, on the other hand, has been a great fit. It’s open-source, which I appreciate, though I’m aware that open-source doesn’t inherently mean better security. Plenty of closed-source apps, including password managers, are excellent, and they often have more sustainable business models, making them more likely to be around for the long term.
Bitwarden integrates well with email aliasing services, which I use to generate unique usernames. Similar to unique passwords, having different usernames or email addresses for each account makes it harder to link accounts in the event of a breach. If someone gains access to an email address used for one service, they might attempt to brute force other accounts, but this approach is unlikely to work since the email used for critical accounts isn’t even the same. I rely on SimpleLogin for email aliasing. It works seamlessly with Bitwarden, making it easy to generate unique combinations of usernames and passwords.
This concept extends to security questions—instead of using easily guessed answers, I generate passphrases that are easy to spell over the phone if needed for account recovery. I can’t imagine trying to read something like “kadnflnkasKDAKFJadf3292**10” over the phone in such situations, which is why passphrases are a much more practical choice.
Bitwarden’s premium plan is reasonably priced at $10 per year and offers features like security reports, data breach alerts, and an integrated authenticator. While I don’t use the authenticator, others might find it convenient. It also supports passkeys, adding to its versatility. The browser extension is another feature I appreciate. While some might consider using browser extensions insecure, I’ve evaluated my personal threat model and concluded that this trade-off is acceptable for my needs. My threat model prioritizes convenience while maintaining a reasonable level of security; I’m not guarding against nation-state actors or highly sophisticated attacks, but rather everyday threats like phishing, credential stuffing, or casual breaches. For others with stricter requirements, this balance might differ, and alternative approaches may be more suitable.
For those seeking a local-only alternative, KeePass XC and the broader KeePass family are excellent options. I briefly tried KeePass XC, but it was not for me. Managing and syncing the database files can be inconvenient, adding friction to the process. Reducing friction is key to ensuring security tools are actually used.
2FAS: My MFA App of Choice
While some password managers, including Bitwarden, offer integrated MFA functionality, I prefer using a standalone app. Previously, I used Authy but grew concerned about its reliance on a phone number to link accounts, which raised concerns about SIM-swapping attacks and the potential for intercepted MFA codes. Transitioning away from Authy was challenging, as exporting accounts was a nightmare. Authy does not offer a straightforward method for exporting MFA secrets, and I had to rely on a convoluted and finnicky workaround to migrate my accounts.
Next, I tried Raivo, which worked well until it was quietly sold to a dubious company without the developer failing to informing users. Concerned about the lack of transparency, I migrated to 2FAS. The transition was smooth, as 2FAS supports importing Raivo OTPs automatically. Additionally, 2FAS’s export format is a .2fas file, which is technically JSON under the hood, making it easy to switch to another app if needed in the future.
2FAS offers a clean, straightforward interface and can be used entirely as a local-only solution, which can be used entirely offline for those who prefer that option. However, I choose to sync it via iCloud for added convenience, as it fits well within my security and usability needs. However, I prefer to sync it via iCloud for added convenience. Another feature I appreciate is its Apple Watch app, which makes accessing OTPs even more convenient without needing to reach for my phone. It’s a robust solution for those who value security and want to avoid the complications associated with app migrations or reliance on specific ecosystems.
Final Thoughts
By combining Bitwarden for password management and 2FAS for multi-factor authentication, I’ve created a system that balances strong security with everyday convenience. In an era where online threats are increasingly sophisticated, tools like these are essential for protecting accounts and maintaining peace of mind. Whether you’re looking for a secure way to manage passwords or a reliable MFA app, these tools provide a practical and effective solution.