# World Passkey Day: Bitwarden and Tuta on passwords, passkeys, and building a more secure digital life

For World Password Day, Bitwarden joined Tuta, the open source encrypted email provider, for a live conversation on practical steps anyone can take to protect online accounts.

*By Bitwarden Events*

*Published: May 7, 2026*

---

Password security does not have to be complicated, expensive, or time-consuming. For World Password Day, Bitwarden joined Tuta, the open source encrypted email provider, for a live conversation on practical steps anyone can take to protect online accounts. Ryan Luibrand from Bitwarden and Hanna Bozakov from Tuta covered practical ways to strengthen digital security, from password generation basics to passkey portability, and post-quantum encryption readiness.

Here are the key takeaways, along with a free toolkit to get started today.

## Start with a password manager

One of the most important steps for stronger digital security: adopt a password manager. 

Most people manage dozens to hundreds of logins, from banking and email to smart thermostats and streaming services. Remembering a [strong, unique password](https://bitwarden.com/de-de/blog/how-long-should-my-password-be/) for every account is not realistic. A password manager fills that gap.

Reusing passwords or relying on a predictable pattern creates a single point of failure.  Attackers can now use automation and AI to test reused or predictable credentials at scale.

> "Even just having a system in which you have a slightly different password that's guessable isn't good enough. You need to have a completely machine-generated password that a human could not possibly remember that also was never used anywhere else before." — Ryan Luibrand, Bitwarden

A password manager generates, stores, and autofills strong, unique credentials across every device.

## “What if I don’t want to put all my eggs in one basket?"

The most common pushback against password managers is the worry about putting all credentials in one place. It seems logical on the surface: if everything worth protecting lives in a single location, that location becomes a bigger target. Ryan acknowledged the concern, then flipped it:

> "We don't distribute gold bars to every bank in the entire country. Everything is in one spot so you can secure and fortify it properly." — Ryan Luibrand, Bitwarden

The more important question, Ryan argued, is what the alternative actually looks like. Writing passwords in a notebook, reusing them across accounts, or relying on a predictable pattern all create their own single point of failure. The difference is that a password manager fortifies that single point with [end-to-end encryption](https://bitwarden.com/de-de/blog/end-to-end-encryption-and-zero-knowledge/), open source code review, and multiple layers of protection. A notebook or a reused password does not.

## Strong and unique means machine-generated

Once a password manager is in place, the next step is putting it to work. For passwords stored inside a vault, let the password manager generate them: random strings of 20-plus characters that no human could memorize or guess.

For the handful of passwords that need to stay memorized, like a vault master password and an email password, [passphrases](https://bitwarden.com/de-de/blog/how-to-use-the-bitwarden-passphrase-generator/) work best. A string of random words creates high entropy while remaining memorable. Both Bitwarden and Tuta offer passphrase generators built into their products.

## Two-factor authentication belongs on every account

Strong passwords are step one. Step two: turn on [two-factor authentication (2FA)](https://bitwarden.com/de-de/blog/basics-of-two-factor-authentication-with-bitwarden/) on every account that supports it, starting with any password manager and email accounts. Authenticator apps that generate time-based one-time passwords (TOTP) provide stronger protection than SMS codes, which are vulnerable to SIM-swapping attacks.

Bitwarden Password Manager includes a vault health report that flags stored logins that support 2FA but do not have it enabled yet, making it easy to close those gaps.

## Be strategic about what stays outside the vault

One nuance Ryan raised: avoid creating a lockout loop. If an email password lives only in a password manager, and that password manager requires an email-based 2FA code to unlock it, the result is a circular dependency. Bitwarden uses zero-knowledge encryption, meaning no one at the company can reset a master password.

The practical takeaway: keep a primary email password and a vault master password memorized. Passphrases make this manageable. Store everything else in the vault.

## AI-powered threats make strong credentials more important

Even with strong passwords and 2FA in place, the threat landscape continues to evolve. [AI-powered phishing](https://bitwarden.com/de-de/blog/ai-phishing-attacks-are-on-the-rise/) is becoming nearly indistinguishable from legitimate communications. Voice spoofing enables impersonation of trusted contacts. Social engineering, amplified by AI, represents one of the biggest security areas to watch.

Strong, unique passwords and 2FA remain the most effective defenses against credential-based attacks, no matter how sophisticated the phishing attempt. A password manager helps generate and store strong, unique credentials, while an authenticator app or integrated TOTP adds a secondary security layer.

## Passkeys point toward a passwordless future

Looking further ahead, passkeys offer a fundamentally different approach. [Passkeys](https://bitwarden.com/de-de/blog/what-are-passkeys-and-passkey-login/) use public-private key cryptography so that a private key never leaves the device. The public key stored on the server is useless to an attacker, even if that server is breached. That removes many of the phishing and credential theft risks associated with passwords, and passkeys typically do not require routine rotation after a breach.

> "Passwordless is where we need to get to." — Ryan Luibrand, Bitwarden

Bitwarden Password Manager supports syncing passkeys across devices and participates in the credential exchange protocol working group alongside Apple and others to enable passkey portability between services. The limitations today are practical, not technical: not all services support passkeys yet, and many that do still keep a password as a fallback. For the foreseeable future, strong password management and passkey adoption will need to coexist.

## Encryption strength is not a set-it-and-forget-it decision

Whether using passwords or passkeys, the encryption protecting a vault matters just as much as the credentials inside it. 

Staying ahead means staying up-to-date with your encryption settings, heeding low-security warnings, and using a strong main password. Bitwarden is building a modular encryption architecture designed to enable automatic upgrades and accommodate post-quantum algorithms as standards emerge.

## Build a free privacy stack

> "It should be as natural to you as an email address, right? Like, oh, I have an email and a password manager. Absolutely." — Ryan Luibrand, Bitwarden

Strong security does not require a big budget. Bitwarden and Tuta are both open source, privacy-first tools with zero-knowledge encryption. Together with the Bitwarden Authenticator app, they cover the three pillars discussed: strong, unique passwords, encrypted communications, and two-factor authentication. When combined, they create a practical baseline for protecting accounts, communications, and recovery workflows.

This [free stack](https://bitwarden.com/de-de/blog/data-privacy-day/) takes just a few minutes to set up:

- **Bitwarden Password Manager** on the free plan delivers cross-platform, open source, end-to-end encrypted password management. Create and securely store credentials, and autofill across all devices. [Get started at bitwarden.com](https://bitwarden.com/de-de/pricing/).
- **Tuta Mail** on the free plan delivers end-to-end encrypted email, calendar, and contacts with zero-knowledge architecture and post-quantum encryption. [Sign up at tuta.com](https://tuta.com/secure-email).
- **Bitwarden Authenticator** is a free, standalone, open source authenticator app that generates TOTP codes for 2FA across all accounts. It works independently of the Bitwarden vault. [Download for iOS and Android](https://bitwarden.com/de-de/products/authenticator/).

## Watch the full conversation

[![YouTube Video](https://img.youtube.com/vi/ijIMac6PCKM/maxresdefault.jpg)](https://www.youtube.com/watch?v=ijIMac6PCKM)
*[Watch on YouTube](https://www.youtube.com/watch?v=ijIMac6PCKM)*

Whether the goal is getting started with password security or leveling up an existing setup, this is a practical, approachable overview of the steps that make a real difference.