Is my password management safe or complete garbage?

[Elganja]

I think this still belongs in off topic?

I want check in with the internet crowd on my crappy way of managing numerous logins. Like most of you, I have tons of logins/pws for various sensitive and inane crap on internet (banking, credit cards, insurance, forums, etc).

1. I decided to maintain a spreadsheet with manual entry for all these sites containing login/pw.
2. That spreadsheet is in cloud only (Google Drive), never offline.
3. My Google pw is very strong (maximum chars, symbols, numbers, etc).

This gives me the benefit of easily accessing my login/pw anywhere I go via my phone (which also has a screen lock). The risk is obviously that if my Google account is hacked, I am facked royally. And also, Google can do something with it too (company hacked or a malicious employee).

Google being the #1 tech company, I'd like to think they have the best security.

Is my method okay? As I'm typing it out, it just sounds risky. What's the best way then while maintaining easy access (via my phone preferably).

similar system for me, however anywhere i can use 2-step i do... e.g. google 2-step, apple id 2-step, financial institution 2-step, etc...

if google gets hacked, then the passwords are the last of my worries... lol

 

[zinfamous]

Sorry man but I have to go with "complete garbage". You don't want a single or central point of failure for anything that's important to you. Nothing inherently wrong with throwing some stuff up on google drive, but anything important needs to have secure copies in other places just in case. Online AND offline.

On top of that, you never ever want to be storing your list of logins or anything of equal importance in any sort of bare or unprotected format. This means if you're emailing yourself logins, or if you're storing a plain text file or word document or excel document in the cloud, you're exposing yourself to unnecessary risk.

You can easily add orders of magnitude more protection by simply placing said file inside a heavily encrypted file container. You can do this any number of ways - using a program like Veracrypt is one. Upload the encrypted file instead, and to more than one place.

IMO, something like this is really the bare minimum. Don't leave it up to a third party or up to luck for nothing bad to happen to you.

It's always a trade-off between security and convenience. You can save all your passwords in your browser, but then you're leaving yourself more vulnerable to any browser-level attacks. You can use a service like Lastpass, but then you're leaving yourself at the mercy of their security systems and practices. You can save all your logins in a plain text file, but then anyone that gains access to the device in which it resides can access your logins. You get the idea. If you don't want to compromise any convenience, then you will inevitably compromise some level of security. For me, prudent use of an encrypted volume backed up in a number of places that couldn't possibly all be compromised simultaneously makes the most sense.

This is what I do, but it is 100% secure because the text file is named: Ishtar 2_script.txt

 

[Malogeek]

Is my method okay?

I think it's ok as long as you have 2FA turned on for your Google account. Everyone should have 2FA on for everything that supports it that they care about but for this in particular, it's completely necessary.