[Tmpod]

Yeah that's a good point. I have pretty much all my passwords on BitWarden but no 2FA tokens to avoid "putting all my eggs in one basket". If you centralize both secrets, you don't really have two factors of authentication anymore. I use Aegis on mobile and pass (with otp extension) on the computer, with completely different passwords from bitwarden.

If you're worried about using Bitwarden's cloud vault, you can always spin up an instance of vaultwarden (FOSS server impl in Rust) and point your clients to it. I haven't done it myself yet (though I will likely do it) but I've heard it works really well.

[devjab]

For me it was more a matter of convenience than security. I didn’t mind using “sameish” passwords for 90% of my accounts. Good enough not to be auto-broken on one leak, really bad if someone actually targeted me. But what eventually drove me to Bitwarden was that I needed more and more different 2FA method which were all somehow linked to my phone. Many of which weren’t actually backed up. My first idea was to just use Authy, but apparently my phone number is linked to an account that isn’t mine, and their support has been unable to do anything about it, so that’s not exactly possible. So I went with Bitwarden.

I’m not too worried about the eggs in one basket. My digital national ID and my email credentials aren’t saved on my Bitwarden, so while I obviously don’t want to lose it, it also wouldn’t be the end of the world for me.