40

In the past I have seen having a Google drive document and have FTP username/passwords there.

Is storing passwords in Google drive a good practice?

Léo Léopold Hertz 준영
  • 143
  • 8
secuaz
  • 519
  • 1
  • 4
  • 6
  • 2
    See http://security.stackexchange.com/questions/62599/what-are-some-considerations-before-moving-personal-data-to-google-drive/ for some related issues. – Mark Aug 12 '14 at 19:26
  • 4
    In a reasonably *simplified* way, I would say that the only moment one should send his credentials online is when one authenticates with them (over a safe connection being an even more satisfying scenario). – John WH Smith Aug 12 '14 at 21:17
  • 1
    @JohnWHSmith I disagree. You should never need to send your credentials online for authentication. The only time you should have to send them credentials in a reversibly encrypted form is when creating the authentication account in the first place. – Aron Aug 13 '14 at 03:06
  • Using a password manager while having your password database stored on Drive is a win-win-win situation: Google can't divulge your credentials even if they wanted to, you maintain the convenience of easy access, and you are also reasonably protected against downtime (typically there will be several offline copies of the password database stored among your devices). – Jon Aug 13 '14 at 11:58
  • 2
    Sophos have a good rule for this: In a security context, read "cloud service" as "someone else's PC". So to reword, is it a good idea to keep a list of your passwords on someone else's PC? – Chris Murray Aug 13 '14 at 15:29
  • Storing passwords in plain form, regardless where is always a bad idea. And furthermore, using asymetrical encryption instead of passwords is probably ways better in all cases. It prevents that your friends (with who you shared your password) can commit identity theft. – Willem Van Onsem Aug 13 '14 at 21:10
  • Store passwords with the aid of a 'password manager'. I've been using [Password Safe](http://passwordsafe.sourceforge.net/) (along with it's Mac OS and iOS variants [Password Gorilla](https://github.com/zdia/gorilla/wiki) and [pwSafe](http://app77.com/pwSafe/), respectively) and syncing the 'safes' (one each per computer or device) via Dropbox (for 'merging' passwords among the 'safes') for years now. – Kenny Evitt Aug 14 '14 at 00:52

8 Answers8

46

Is Google Drive safe?

I wouldn't say that Google drive is not a safe place to store sensitive information. But I bet you cannot rely on it. When it comes to protecting your sensitive data/privacy, it is always good to be sure, and just trusting drive is not being "sure".

Solution:

One word, Encryption.

Encrypt your data before you store them in the Google drive. Now you don't have to depend on Google to protect your data security, it is you who should keep your mouth shut about your key ;)

Note:

Encryption is not always needed when storing normal data which falls under the general category(something like the things you share in the social networks,etc.)

But it is really a great option when it comes to storing your confidential information in drive and in my experience, I am pretty sure that passwords fall under this category.

Malachi
  • 207
  • 1
  • 12
Ebenezar John Paul
  • 2,874
  • 14
  • 23
  • 1
    Agreed, I store all manner of sensitive information on Google drive - *in encrypted documents* – Carson63000 Aug 12 '14 at 12:46
  • To automate this process there is a program called [duplicity](http://duplicity.nongnu.org/), it will only record the parts of files that have changed since the last backup, and encrypts locally before transferring. For an example see http://shobute.com/posts/backup-to-google-drive-with-duplicity. – Ben Aug 12 '14 at 20:40
  • Given the "amount" of data being stored on Google Drive, we would be approaching OTP encryption level (password protecting a password). Assuming OTP level encryption, then the problem is reduced to storing and protecting a password securely. Which happens to be the SAME problem we were trying to solve. – Aron Aug 13 '14 at 03:10
  • 3
    and where do I store that key?? – user3459110 Aug 13 '14 at 08:11
  • My suggestion would be to get a password management app, like 1Password or one of the others out there, that store the passwords in encrypted files. Most of them offer some way to sync using Drive or Dropbox or some other shared drive service. Most also have convenient browser plugins to get the passwords back out, convenient password generators so that you can have long random passwords for all sites, and most have apps for the various smartphones to allow access while on-the-go. 1Pass even stores other info like passports, CCs, Notes, etc. – CodeChimp Aug 13 '14 at 11:57
  • I agree with everything in the answer except for the _"not always needed"_ part. If you ever need to encrypt _one_ thing, you need to encrypt _everything_. Preferrably, you'd encrypt important and unimportant data in one container (such as a truecrypt volume). The reason is that if you only encrypt what's important, then a prospective attacker immediately knows what's what's worth looking into. If you (and preferrably _everybody_) encrypt everything, this is much, much harder. – Damon Aug 14 '14 at 11:16
  • 1
    @Damon Ease of access! I agree that confidential data are worth spending time in encryption/decryption.But if the user have to decrypt every single time he needs to access anything(even things like the user's social media pictures which is already available in the internet for the whole world),then eventually he/she is gonna get sick of the process which might result in giving up the whole encryption step to make life easier.Trust me, no security method is really worth it, if it degrades the user experience. So it is recommended to use security methods only if there is a need for security. – Ebenezar John Paul Aug 14 '14 at 12:15
21

Quick answer: NO.

If you ever decide that you will automatically log-in to google drive on your device, anyone with access to your machine has access to your passwords.

If you want to store passwords I think you might be better off using a password manager.

Check this list: http://www.pcmag.com/article2/0,2817,2407168,00.asp

sir_k
  • 719
  • 6
  • 14
13

Only if you trust Google with that information. This is because in all likelihood Google has access to everything in your Google drive and can extend that access to anybody given a court order to do so.

As for if this is good practice...no, it's not.

ilikebeets
  • 2,646
  • 15
  • 21
  • 9
    ... can extend, *and can be forced to extend,* ... – O. R. Mapper Aug 12 '14 at 13:31
  • google does not have access to anyone's drive. I had to work with their support and had to explicitly share the files with google in order for them to see it. – code ninja Aug 12 '14 at 15:37
  • 14
    @matejkramny I can see where you are coming from but in the end your data is on their servers to which they control access and which can be decrypted server side. I have no doubt that should they be ordered to, they can access your data. I think in your case it is true that the support personnel do not have direct access to your data on your drive and I support that completely, but I am fairly sure that a bit further up in the management hierarchy there are people with the authorization to access your data. – ilikebeets Aug 12 '14 at 15:48
  • 1
    @ilikebeets Hmm good point. They're probably compliant with many secret three-letter-agencies.. – code ninja Aug 12 '14 at 15:50
  • 3
    @matejkramny: Eh? It's _their_ drive! Of course they have access to it. Whether a frontline support tech has access to the backend servers is an entirely different thing. – Lightness Races in Orbit Aug 13 '14 at 15:06
  • Well yeah but someone in google who has these permissions would have to know who you are and what to look for. I doubt that'd happen unless you're someone like Snowden. – code ninja Aug 13 '14 at 15:09
8

A good rule of thumb is: if you don't want to risk other people seeing it, don't put it online. This especially goes for passwords.

If you have to put it online, encrypt it.

I use a cloud service to store my password manager database. It also means I can access it from multiple devices (laptop, phone, work computer, etc).

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
K Vaughan
  • 81
  • 1
5

Google Drive, like most cloud hosting companies (Dropbox, etc.), have complete access to the plain data. This means that their employees (or law enforcement agents) can access it on a whim.

A more secure solution would be a cloud hosting service that encrypts the data locally (on the user machine), and transfers/stores only bits of encrypted data. Such solutions include SpiderOak and Tarsnap.

landroni
  • 164
  • 7
3

We learned recently that Google actively searches gmail messages for images with hashes matching those of known child pornography images.

I do not say whether this be good or bad, but I do say: nose, camel, tent. That being the case, one must conclude that nothing you trust to another, whether it's Google, or Apple, or Microsoft, or whomever, is safe from routine inspection. This is not a case of search warrants or court orders; this is a case where a private company has decided to conduct routine searches of the data stored on their servers. So, as others have already written, if you have to store information "in the cloud," it must be encrypted.

People have already said that, so why am I wasting electrons? It is to add that the only safe encryption is strong encryption for which you have generated the key yourself. Any encryption scheme in which someone else generates the key is useless!

Bob Brown
  • 5,283
  • 1
  • 19
  • 28
2

Assuming you use gmail as well.

Any account that can be reset with a new password sent to your email address is never more secure then you email system.

Google Drive is most likely secured with the same password as your email.

Therefore it is safe to store passwords of accounts that can be reset by email, in my case this is most account apart from banks etc.

Ian Ringrose
  • 641
  • 1
  • 4
  • 9
  • But in some cases, the email used to reset password does not contain the new password, but a url link to manually reset it. Is that safer than the email containing the new password itself? – TLR 7 8 agonist Jul 11 '19 at 05:59
1

When it comes to password security, I heard this tip from a security-minded colleague. When you need to change your password, get a new random password (using a strong password generator, for instance), write the password on a piece of paper, carry the paper around with you until you have memorized the password, then destroy the paper. Or preferably develop the ability to remember the new password immediately so you don't have to make a copy.

It may seem counter-intuitive to write your password on paper, but if you are going to keep a written copy somewhere, does it make sense to put it online where it could potentially be accessed by anyone with an Internet connection and the ability to overcome whatever security you have around it (note the recent history of very large password database hacks in the news), or does it make more sense to keep a copy on your person?

An additional note: use two-factor authentication wherever available.

Robert Munn
  • 456
  • 4
  • 5
  • 1
    Better to have the password in two parts, a random part that is written down, and then a short word you add at the start that is not written down. The risk of using the same "short word" for all accounts is not great if the random part is different. – Ian Ringrose Aug 14 '14 at 12:06
  • @Ian +1 for adding the unwritten component. – Robert Munn Aug 14 '14 at 15:46