Don’t remember your passwords.
Don't try to choose or remember your passwords
Use the valuable but limited power of your brain for more important things like remembering to tell people who you love that you love them or being thankful for what you have.
Use a password generator.
Use pass phrases wherever possible. Size matters ;)
Don’t reuse your passwords
Post-breach analysis of various breaches has showed that the same accounts were exposed over and over again, often with the same passwords which then put the victims at further risk of their other accounts being compromised.
Simply put, even if one site where you reused a password gets compromised, all your accounts where you had reused that password are at risk.
Store your 2FA/TOTP tokens in your password manager
If stored in an actual password manager, 2FA tokens would be encrypted with all your passwords. So one could argue that keeping your 2FA tokens in your encrypted password manager would be a security upgrade compared to many TOTP apps.
The biggest reason to keep your 2FA tokens in your password manager is that it’s in one location and gets backed up.
Far too many people don’t realize that apps like Google Authenticator and many others don’t automatically backup your 2FA tokens. So if you get a new phone or lose your phone, you also lose your 2FA.
Storing the tokens in your password manager also gives you more flexibility if you want to get out. Many of these TOTP apps don’t allow you to get the secret out once it’s saved.
Plus, it’s easier to secure one thing to the max than worry about the security of multiple little things.
Excerpt from -
Set up physical-only 2FA access to that password manager
Buy two USB authentication keys (about $30 each, but get at least one good sturdy one that’ll last). Have those physical keys as the only 2FA access method. Ensure one is always with you, and another is in a safe place.
Make a pragmatic choice about how you log in to your password manager. “Best” would be to require your physical key every time, and for it to log you out automatically.
The default is more realistic, which requires your physical key the first time you set it up on a new machine, and your password from thereon in.
I’d recommend Bitwarden.
To start using it, just install the browser add-on. It will ask you to save passwords as you browse. You can also manually add your passwords if you've been using your notebook to store your passwords.