I agree that U2F is generally a more secure 2FA solution than soft tokens on a phone. If you use U2F (hardware), then what are you storing in your password manager (software)? Maybe, the 2FA secrets for sites that don't support U2F yet? If so, care to share which sites you use frequently that do not yet support U2F?
Also, which password manager do you use? I ask specifically because if it is a popular commercial option (1password, LastPass, Dashlane), then your attack vector on your password vault is larger than just local malware. It also includes remote attack directly on the servers of the commercial company. Sure, your vault is encrypted on their servers, but if a hacker gets their hands on your encrypted vault via malware on your system or via their remote servers its the same outcome: they have your encrypted vault and can start to work on it. Make sure that your vault password is really strong so that it cannot realistically be brute forced (I'm sure you already know that).
well 1password has wifi sync, and also sync via icloud/dropbox, so unless you use their built in service, it’s not really an issue (at least for targeted attacks)
also, they store the vaults encrypted anyway; you unlock it locally with a password, so even with a hack you still are reasonably safe.
>Maybe, the 2FA secrets for sites that don't support U2F yet?
That, yes, I put the 2FA secrets in there. They're also on my phone but I believe these are mostly outdated now since I tend to swap 2FA secrets about once a year.
>Also, which password manager do you use?
I use KeepassXC, it's a C++ implementation of Keepass which has excellent cross-platform support (Linux and Windows both work very well) and has integrated Keepass HTTP.
I sync the password database to my selfhosted Nextcloud instance (hosted on a OVH dedicated server) and use a password with about 50 characters in length (I use XKCD style passwords with about 10 words in there)
Also, which password manager do you use? I ask specifically because if it is a popular commercial option (1password, LastPass, Dashlane), then your attack vector on your password vault is larger than just local malware. It also includes remote attack directly on the servers of the commercial company. Sure, your vault is encrypted on their servers, but if a hacker gets their hands on your encrypted vault via malware on your system or via their remote servers its the same outcome: they have your encrypted vault and can start to work on it. Make sure that your vault password is really strong so that it cannot realistically be brute forced (I'm sure you already know that).