Passwords alone are insufficient security, no matter where you store them. 2FA is barely sufficient for most things if that 2FA is based on randomized codes sent by SMS.
My setup is to use a USB key via passthrough plus password in a sanitized, sandboxed environment for critical tasks. Naturally, neither the host nor the guest OS are Windows based.
"Just take a look around you, what do you see? Pain, suffering, and misery." -Black Sabbath, Killing Yourself to Live.
“Man was born free, and he is everywhere in chains” -Jean-Jacques Rousseau