November 8, 2025, 2:51am 1

Below is my overall strategy, still needs polishing. I want for things to remain simple, and recoverable in case something happens to my device.

First passwords. Setup two passwords manager, Proton Pass for services, and Bitwarden for emails. Not much gained security wise, but it keeps me at peace. PP password will be stored in BW, and BW password will be memorized.

After setup, export unencrypted .json files and import them to KeePassXC, within an encrypted storage device, updated every 3 months. The password will remain same as that of BW. Backup purposes only.

Now 2fa. Setup Ente Auth, with webview enabled, and store 2fa there, on a separate device which doesn’t have password manager. The seeds (+ente plain text export) will be backed up in an SN account, with no 2fa whatsoever. This is the second password that needs to be memorized, both Ente and SN will have same passwords. Will be updated alongside BW.

To reduce friction, I’m also thinking of just straight up exporting encrypted backups of BW and Ente, but then I will be bound to the respective apps. Not sure.

Issues:

1. Backups are insecure in case of breach. How to manage?
2. Password can be forgotten, and I detest writing things on paper due to my inability to secure it.
3. What about recovery codes that bypasses everything? How do I store them?

Thanks.