From here, we can have a discussion about broad behavior and individual behavior. We observe that at scale people reuse passwords if they are not using a password manager. End of story. Getting people to use a password manager at scale is the single largest practical improvement in account security for the general population that we have available to us right now. This is even true with the risk of a vault being stolen and unlocked. I've never seen any data that even remotely challenges this point.
Cloud management of passwords is basically non-negotiable for most people. "Oh fuck, my vault was on my computer and I dropped it on the floor and the disk broke" will be a constant occurrence. Getting everybody to properly back up their vaults is not feasible at scale.
You can separately talk about specific people if you want. If you are capable of creating unique and sufficiently strong passwords for all of your accounts, then go ahead and avoid a password manager. This will mitigate a marginal risk for you.
If you're worried about using Bitwarden's cloud vault, you can always spin up an instance of vaultwarden (FOSS server impl in Rust) and point your clients to it. I haven't done it myself yet (though I will likely do it) but I've heard it works really well.
I’m not too worried about the eggs in one basket. My digital national ID and my email credentials aren’t saved on my Bitwarden, so while I obviously don’t want to lose it, it also wouldn’t be the end of the world for me.
For extra security I use a key file in addition to a password which I manually transfer between devices.
I'm sure I forgo some convenience by not having field auto-populate all of the time (Keepass can do some of this, but I haven't had it work reliably), but I relax knowing I need not worry about a third-party service being hacked or my credentials being behind a paywall.
For the average user, it is infinitely better to use a password manager than to use hunter42 on all their accounts.
My relevant data is synced regularly to my nas (running a raid-1) and I weekly back the whole thing up to an offsite disk at my parents house.
Can someone who really really want it, get to it? Sure, how big of a target am I against a cloud provider?
I keep super important 2FA codes (email, github etc) elsewhere, and for less important services, I store the OTP in my password manager.
On the topic of phishing and OTPs, storing the OTP in your password manager could actually help with phishing (opposed to storing it in an authenticator), because it will only autofill on the correct domain. This can be the difference between compromising a password or the whole account.
Also, there is a chance of data breach. The 2FA and hardware keys are bypassed in this case. It’s all your master password.
Not sure I follow. When my master password is breached, attackers would still need to have my hardware key (which I obviously don't keep in the cloud), right?
On the other hand keeping everything in sync manually seems a hassle and in the end you just encrypt on your machine and the syncing goes through the cloud anyway, so where's the difference? I'd be happy to hear thoughts on this.