Storing my bitwarden passwords in a .csv file

Hello,
I wanted to keep a copy of all my passwords in the cloud. I have been using Mega for a few years with no issues. Being a home user and learning about encryption, is it “safe” to import my passwords to my computer then upload them to my Mega account Is this “safe”

I have 2 fa on my mega account and a long password of various letters, numbers & symbols. I never to date had any issue with Mega no one ever so far has gotten into my account. BUT is this safe to do?
I was also thinking of also keeping a copy in my Dropbox account, I have 2 fa on drop box as well and never an issue. Is there a way to encrypt the folder that I put the .csv files in so in the event someone managed to get past my 2fa and crack my password that they would need another password to access the folders with my .csv files in?? Or is this not necessary.
Also, NO ONE has access to my laptop which is a Chromebook
( Acer 513 spin) I never take it out of the house. So would it be ok to leave the .csv files in my download’s folder? Unless someone steals my laptop I would think my .csv files are safe? I tried to find a folder encrypt for Chromebook but so far have not found anything via the “extensions” so for now I have my .csv file in my mega account at this time. Also, I use Authy for 2fa protection.

it has to be "unlocked " every time I close the lid or shut it off

Unless someone steals my Chromebook I would think even the .csv files would be safe in my Chromebook because they are only on my local machine right??

I am impressed with Mega as a cloud storage below is some info on Mega.

All files stored on MEGA are encrypted by your computer / phone / device. All data transfers from and to MEGA are also encrypted . Although most cloud storage providers claim encryption in transit and at rest, MEGA is much more secure MEGA uses above-average security measures to protect your data. All the data which is stored on MEGA is encrypted end to end. Once the data is on the receiving device it is decrypted only then. Your data is stored in an encrypted format at all the time on MEGA and it never has access to your decrypted data

Nope. IF someone gains access to your computer via the Internet, they will be able to copy that file right out of your download directory. It could either be a malware or Phishing attack. All you need is one wrong click…

Another quick observation. I would consider getting a safety deposit box and store both the printout of the .csv file and the file on a flash drive. That storage will be offsite, secure from many physical disasters that can effect your home. Having both a paper printout and the file will be an added layer of protection in case of an EMF disaster. (Every good data protection plan includes off-site storage for those natural disasters like floods, fire, burglary, etc.)

I managed to find this on the Google Chrome extension

does anything know about how trustworthy they are ?

I don’t know who they are and how trustworthy they are especially with passwords

the research I’ve done it seems like they’re owned by

https://mybrowseraddon.com/ they seem to have a good reputation. Before I use them I was hopeful somebody knows who they are and have used them with good results.

Here is the statistics of the company that makes that file encrypter in case anybody wants to know>> loora | Chrome extension stats

Personally I would see it as a downgrade in security to use that sort of unknown browser extension after having them all secured in Bitwarden. Wouldn’t it be better to just keep an offline encrypted copy as a backup as use Bitwarden for the online stuff?

I also uploaded my passwords online, but I don’t use a plain CSV. I use KeepassXC, export the passwords in an encrypted database (KDBX file) and then upload the KDBX online.

If you are from Bitwarden, you can export from BW to Keepass by following this guide:
https://keepass.info/help/base/importexport.html#genericcsv

I still use BW, but in case I cannot login into my BW account, at least I have some kind of backup.

Among other things, I received this from MEGA support:

"Browser extension updates are also cryptographically protected and the extension contains all the necessary source code (HTML, CSS, and JavaScript) for MEGA to run locally on your device, enhancing security even further. For more detailed information, please refer to section 2.2 of our Security White paper https://mega.nz/SecurityWhitepaper.pdf?aff=sVJE3QrK "

Their browser extension at one time had an issue with malware, but since then I believe it is very safe. As they say, it is cryptographically protected and allows all the MEGA code to run locally. It is supposed to be more secure than loading each time code from the server.

I’ve been thoroughly impressed with MEGA. In theory their encryption is not the strongest, but that’s splitting hairs really as AES-128 is very strong (unbreakable for now), and you can use your own encryption if you are paranoid for your own peace of mind.

Also like their CloudRAID technology:

"We use CloudRAID (Redundant Array of Independent Datacentres) technology. This means we split each file into roughly equal-sized parts and store each part in a different country. We also create a part which contains rules about how the file could be reconstructed, and store it in yet another country. This technology makes it possible to reconstruct the file if one part is unavailable due to, for example, a blackout. Also, thanks to our unique on-the-fly transfer processing engine, to reconstruct the file, your MEGA won’t wait to receive all the parts from the datacentres (even when they’re all available), but will reassemble your file from all minus 1 parts that it receives the fastest. For example, if your file is split into 5 parts plus 1 part with reconstruction rules (6 in total), your MEGA will rebuild the file as soon as it receives any 5 of the 6 parts.

MEGA operates CloudRAID datacentres in Luxembourg, Germany, France, Netherlands, Spain, Belgium, Canada, and soon in Sweden."

One thing you can do to become more comfortable with cloud accounts is upload in plain text some unimportant passwords as a honey pot. It will show you that even plain text in a well-secured cloud account is very safe.

As long as you do a “password protected” export (currently only in the web vault but coming soon to the desktop and browsers) and use a long, strong, unique password, the “security” of your storage location becomes relatively unimportant because the “trust” then lies with the encryption of the export itself. This frees you up to worry more about keeping multiple copies so you do not lose them.

Oh and do put your export password on your emergency sheet.