When someone wants to share logins and passwords with other team members, freelancers, or family members, they often put them in a Google Doc or Sheet. It’s super convenient to share and have access from any device or location. But are Google Docs really a secure place keep your passwords?

In my opinion, No. There are too many easy to make mistakes that create security risks to call this secure.

Any account that can be reset with a new password sent to your email address is never more secure than your email system.

If someone were to gain access to the email account you use with your various other logins they could easily reset the password to accounts. They click “Forgot password?” on each site they want to try and get into, and then from your email account complete the reset.

Let’s assume your Google account that you use for Drive is also your Gmail account. If someone gains access to your Google account, that’s it. They now have the keys to the city- your city.

You could slow a mischief-maker down if you are using 2 factor authentication (2FA) with your Google account. If you have 2FA enabled on any other accounts the password reset would still require the second pin number or key to unlock.

Below are a few of the simple situations where you could accidentally expose your password document.

We are almost always logged into Google in our phones and computers

If you access your gmail on your phone, your work computer and your personal computer that’s three possible points of entry. If you have your browser set to remember your login so you don’t have to authenticate each time you open it that could be a risk. If you access Gmail on your phone you probably don’t login to Google each time, right?

If you leave just one Google service logged in on any device and someone sits down with your device you are putting all of your Google services and passwords at risk. This includes Gmail, Docs, Calendar, Hangouts, YouTube, etc – and if this is your business account the stakes are even higher.

You can mitigate this risk by making sure all your devices require a password to unlock, and they are locked as soon as you walk away from them.

The document is shared with others

I know this happens a lot within businesses or families. Everybody needs access to the same logins, and a Google Doc is a super-convenient way of everyone having the most up to date information.

If your password document is just for yourself and is set to private (the default) and is unshared with anyone, this shouldn’t be a problem. One of my pet peeves with Google Docs security is that it is so easy to make a mistake with sharing permissions. If a single person who it is shared with accidentally makes an incorrect privacy setting, it can publish your passwords online for the whole company or worse, the world, to see.

Additionally, if any of the people the document is shared with keep their account logged in and don’t password protect their device, this opens up that risk on their end too.

It’s very searchable

One of the powerful features of Google Docs is it is super easy to find stuff even if you only remember a couple words from inside the document. This means your passwords can easily show up in a Drive search. If you’ve accidentally shared a document with the whole company, or worse, the whole world, a little guesswork can surface a document with passwords in it. Google has indexed all the content in all your documents to make it super-duper searchable, so if I just enter “@gmail.com” or “@mycompany.com” it could find appear in the results (and my oh-so–sneaky document title here doesn’t hide it from search).

Other risks

I’ve heard people mention is that some Drive apps or Add-Ons may require access to files. This suggests the app or add-on developer or a hacker could potentially access your passwords. As Google states “When you allow third-party apps to access your Google Account, they can copy and save your data on their own servers.” Google’s article Third-party sites & apps with access to your account is worth a read, or this 2 minute video if you just want a basic concept.

Another issue I’ve heard about concerns legal or government authorities gaining access to someone’s Google account during an investigation. Google’s Privacy Policy clearly states they may do so. The Transparency Report is an interesting insight into the number and type of requests they receive from governments.

Solutions

Encrypt
There is no way of password encrypting a Google Doc, but if you want to keep a backup of your passwords in the cloud you could password protect and encrypt a file on your local computer and then upload it. This isn’t convenient for easy access since you have to download and un-encrypt it to access the information, but it is safe.

Password manager
A password manager has multi-factor authentication, can be used on all your devices, locks itself, has mechanisms to safely share credentials with others, and can generate and manage all those pesky unique passwords for you. There are even some free options available.


There may be other risks I haven’t considered, but I believe the issues I’ve outlined here are more than reason enough to say it is not safe to store passwords in a Google Doc (or Sheet).