Open two GMail accounts and store the banking information in one, the bank information on the other, as messages sent to the accounts themselves.
E.g.
From: john.doe@gmail.com
To : john.doe@gmail.com
Subj: Account Alpha
user foo
pass bar
From: zeke.ruesch@gmail.com
To : zeke.ruesch@gmail.com
Subj: Account Alpha
First Merchant Bank, https://firstmerchantba.nk/login
That way:
- an attacker would need to guess both account names (you won't use your own name, also for convenience, since these accounts will be used for nothing else - you'll have perhaps hubbyandwifeflowers and hubbyandwifebees), and both passwords.
- anyone getting a peek at any one of the two accounts (but not both, of course) would find himself unable to use the information,
- you can access the accounts from anywhere, provided there's a connection and GMail is up.
- the pages being accessed via HTTPS, they won't be stored on the local PC, and they won't be intercepted in transit.
All that remains is making sure the PC you're using is not laden with spyware and keyloggers, and is not perhaps connected to a rogue AP performing MitM. So if you're traveling in Lower Crookia and checked in a hotel, and the PC says something fuzzy about the security certificates, please remember not to log in.
On the security of encrypted ZIP documents
Probably we would need to agree on some use case scenarios. The fact that secure key storages (with cloud backups) are famously available for most smartphones - I myself use SplashID - and yet we're debating encrypting ZIPs makes me think that two important requirements have to be:
- accessibility from anywhere, i.e. relying on third-party hardware
- possibility of flexible storage, i.e. not simply user/password pairs, possibly not even the multiple fields of SplashID.
In this scenario, an encrypted ZIP file is by no means secure, and possibly not even available. The PC being used needs a ZIP compatible software installed with password support, and the password must be entered through the keyboard, making it exactly as vulnerable to keyloggers as any other method.
Moreover, the text file will have to be read once decrypted. On most systems this means not only that the file will be available in plain text on the system for as long as it's being read (which does not happen for HTML pages on HTTPS sites, for example), but that parts of the text, and possibly the text in its entirety, will be still available for an unknown period of time in the memory swap file and/or disk temporary areas and/or or filesystem slack space. Depending on what the text editor actually is, a backup of the unencrypted file might be left lying on the system with the user none the wiser.