Two factor authentication goes to my Android phone or my email. At this time, I could not opt out of the Android system if I wanted to. I used to dislike 2fa but now I accept the inconvenience as higher level of security for me.
In general authenticators are more secure than email or sms 2fa. You could use Authy, Google Authenticator or (better) Yubico Authenticator. The best option is a physical security key. Buy two.
My current username/password list is on paper. I may make a spreadsheet with website url - username - password information to print out, then delete the password column. I don't want a list of username/passwords in digital format, but writing them on paper is not as efficient as using a spreadsheet.
You might consider changing this asap. A keylogger is probably your biggest vulnerability, especially if you are not using antivirus/antimalware as you said above. If you are typing in your password you are vulnerable. One of the great things about password managers is the fact that key loggers are useless, except for the password to get into the manager. That's why you want a physical security key on it. Also, you can generate nonsensical answers to challenge questions (Mother's Maiden Name: vYaL89Q%4UFqWk1ya0E) for each account and save them as well.
Looking at your setup, there's an aspect of resilience to change to consider.
1. Will you stay current with security updates?
2. What if product X is no longer supported. Are you prepared? Are you watching for it?
3. Will the complexity be sustainable as other demands on your time increase?
4. What about as your cognitive abilities decline with age or sickness?
5. What about a partner / spouse, if you are no longer around?
I use an encrypted online backup tool. For some reason the software stopped updating, which meant the automatic uploads had stopped working. I was thinking of it as a "set it and forget it" type thing. By the time I checked, my backups were 2 years out of date.
Similar, with the same vendor, I got a last minute notice. Less than a month before my annual bill was due, they unilaterally changed terms. Because I was fully counting on them, I had to scramble to get a secondary solution in place. They got enough customer pushback to reverse the terms change, but it highlighted fragility in my system.
Now I run the ongoing encrypted online backups. But I also check them at a recurring interval, taking a manual backup at that same time.
Accessibility in the event of cognitive decline or death is a strong consideration in all my strategies. It heavily favors accepting the risk of managed solutions.
Looking in the totally opposite direction - there are encrypted password vaults you can self-manage. I personally would hate the hassle, but it might be in the spirit of where you are heading.
I am using unattended-upgrades, so the raspberry pi system should be automatically up to date. If not, most of the time that I install something new I start with sudo apt update, sudo apt upgrade, as a check. I manually create backups, and have about 5 backup drives with duplicate data, some older than others. I don't zip my backups, so they are readily usable by anyone. Most of my data is not crucial, and to be honest, I should go through and delete the unneeded stuff to save Gb's. If I lost the combination to my safe, that would be a problem.
My goal is to have a backup sd card and usb drive which can be plugged into any raspberry pi, and will recreate my online presence. That and a paper copy of url's/usernames/passwords should allow someone access to my online activities. It is true that not everyone can run a linux system. If my VPN breaks, or I fail to pay the service, that could cause problems, but connecting to wifi would overcome the ethernet disconnection.
My spouse should be able to access important websites on her own computer, solely from the paper url/username/password document, if necessary. The two factor authentication protocol could cause problems, but I intend to use a physical Y key to reduce the need for an Android phone. That may be easier, or may cause problems if the key is lost, or someone does not know how to use it. I don't have one yet, so for now my spouse needs to be able to open my phone.
I don't like the idea of putting passwords in digital format online or in the hands of others. Probably old school thinking. To be honest, I don't like having my financial institutions open to the internet, I would rather deal face to face with cash and checks (despite the convenience of online banking). But those times are long gone.
I have not encrypted my drives but that is a consideration.
A good password vault will never transmit or store the raw password. The only place the decrypted value exists is on your personal device, when you are using the password. If you lose the master password, the data is gone forever. For me, these gains were worth accepting the risk:
1. Ease of using a different, complex password for every site
2. Confidence my password list is current and available should something happen to me
Paper gets out of date. Using unique passwords over dozens of sites is unrealistic. I have similar thinking in using an encrypted online backup solution.
From what I understand, it's possible for a loved one to get through the password wall with a death certificate. But, it is much harder. And it assumes they know where to go.
Personally, I trust a modern website far more than a bank teller or cashier. I've seen the work that goes into both securing data and auditing that security. While any company or person can be breached, I think protections are generally in proportion to the risk/impact of a breach.
https://btc.us/ is selling .btc domain names for $5 for 5 years.
Really common names are available at the moment. For instance, EarlyRetirement.btc is available. You can only register one name per account but can create as many accounts as you'd like with a stx wallet. At the moment .btc is not a top level domain but may be useful when defi becomes more popular. Key word here is *may* become useful.
For those of us using Android devices - a small change I recently made:
1. Disable Chrome, using the duckduckgo browser instead: https://play.google.com/store/apps/deta ... roid&gl=US
2. Join the app tracking beta and enable protection. This sets up a local VPN, which stops apps from send data to known 3rd party trackers.
Certainly not the strongest protection, but an easy improvement over stock Android. I am deeply embedded in the Google ecosystem. So settling for the small win is all I'm prepared to do. There are better, more complex solutions. I switched from Chrome to Firefox on my windows PC, for similar reasons.
Were I willing to wipe the slate, Apple has differentiated themselves in the privacy space. I would pick an iPhone over android. They have built app tracking protection into their base OS.
I will note - much of the tracking is not nefarious. Application developers embed telemetry collection into their software, to discover problems automatically. The goal is to better serve users. But it can come at the price of your privacy. And that data can be misused.
Importantly, missing from this thread is using TailsOS from a USB thumb drive whenever you look up privacy, jruggz, and semi legal things. You probably can't watch Rob Braxman through Tor browser, but you could use Brave.
I don't really believe in paying a VPN with your state name and credit card. Pay with Monero anonymously to a vpn like Mullvad.
If you're going with a degoogled phone (phones are a big issue and the best solution is to use them less) then you can download Orbot to run your apps through TOR routing. For example, you could use an encrypted chat app like Signal routed through TOR by using Orbot.
