Is Google Drive a safe spot for secure information?
July 6, 2015 11:49 AM   Subscribe

My co-workers want to put information about our political organization onto Google Drive: logins and passwords for all social media accounts, Pay Pal, web site, online banking, everything. I do not like this; they think I am a raving lunatic. The Google Drive is accessible by three people. What is the prevailing wisdom regarding the storage of sensitive information in this manner?
posted by halcyon_daze to Computers & Internet (32 answers total) 5 users marked this as a favorite
 
Do you have two-factor authentication enabled across your company (or at least across the people who will have access to this info)?
posted by brainmouse at 11:55 AM on July 6, 2015 [1 favorite]


I think the worry here is the three people, not Drive. If one of them gets a compromised computer, for example. But that would happen with any system where they can access it client side.

If everyone has 2Factor authentication and strong passwords, outside hacking is not really worth worrying about.

But someone leaving their computer unlocked or getting malware would be the most likely failure, which gets more likely with each person who has access. But that would apply with anything where the end user can access easily...
posted by thefoxgod at 11:57 AM on July 6, 2015 [2 favorites]


I don't know what that is. So no, probably.
posted by halcyon_daze at 11:59 AM on July 6, 2015


I don't store my online banking passwords on the Internet. Period.

If you go this route, make sure you all have dual-factor authentication enabled for your Google accounts. I'd separately encrypt any passwords you store there in a password vault app with a separate shared password. Don't just stick them there in a document.

Only allow one person to add permissions or share to new users, as this reduces the chance of someone adding another user or making it public by accident.

You might sit down as a group and go over this Wired article about being hacked, so you have an idea of what you might be facing.
posted by cnc at 11:59 AM on July 6, 2015 [1 favorite]


Google's 2-step verification. Basically it's an extra step when you login, so that a stolen password is not sufficient for Bad Guys to get into your accounts. Everyone should have it enabled on everything (seriously, turn it on on your personal Gmail, on Facebook, check if your bank has it, etc.)

If everyone has two-factor I would have no concern with putting most of this info on Google Drive, with banking stuff as a probably exception...
posted by brainmouse at 12:00 PM on July 6, 2015


If they absolutely must have a password database, which is still a mediocre idea, have each of them install something like Keepass. Then you can have a single, strong password that everyone will need to know (and the Keepass application). Then, should the Google Drive be compromised, any intruder will still only have an encrypted file.
posted by mikeh at 12:01 PM on July 6, 2015 [8 favorites]


I'd recommend this even if their Google accounts have two-factor authentication -- at some point the password file will be opened or copied to their local computer, and once again be unsafe. Keepass never has an unencrypted copy of the password on disk.
posted by mikeh at 12:02 PM on July 6, 2015


I think this is generally fine but don't use the google account for anything else. If your google account gets suspended for issues relating to adsense abuse, google wallet payment issues or whatever, you'll be suspended from access to all google services. It's an easy issue to avoid, but it seems like it's also an easy issue to encounter from people who have experienced it.

You can get around this buy pay for Google For Work accounts which have an admin interface to controls accounts.

Also, google docs don't really sync to your local computer with the drive app - you'll get a little placeholder file that doesn't have anything actually in it.

I think Google Docs is fine, but you may want to evaluate other options as well, like using text files or word docs and a storage solution like dropbox (which also has 2-factor auth available)
posted by GuyZero at 12:10 PM on July 6, 2015


Keepass has already been mentioned above, but it's worth also noting that Keepass supports both a strong password and a key file, and if you don't have both the password and key file, you can't access the database.

I keep some passwords (nothing critical like banking, but login stuff for various Internet forums, etc.) in an online Keepass database, on a cloud drive service, but I also keep the key file on the hard drive of my work computer and home computer. This way, even if somebody breaches the security of the cloud drive and finds the keypass file, and some how magically hacks the password for the Keepass file, they still need the key file, which is not in the cloud drive.

This sounds crazy elaborate, but it's actually really easy to set up, and once it's established with the database in the cloud service and the key file on everyone's personal computers, about as secure as it gets by my non-expert lights.
posted by Shepherd at 12:29 PM on July 6, 2015 [4 favorites]


That Google account isn't just accessible to three people at the organization that owns it. It's also accessible to an unknown number of people at Google, depending on Google's (undisclosed) operational procedures, and how well Google and its individual employees actually follow those procedures. It's also accessible to an unknown, but at any given time probably nonzero, number of penetrators from outside Google, based on those things and the bug of the month.

Your best protection is the fact that most of those people don't know what you have in there or care enough to find out.

And the possibility of losing the account has already been mentioned.

That's regardless of two-factor authentication.

I know it's popular to abuse cloud services that way, but storing stuff like that in cleartext on something like Google is in fact crazy. It would probably be OK with Keepass.

But you shouldn't be sharing passwords in the first place when you can possibly avoid it. For example, I'd be really surprised if your bank can't provide a separate set of login credentials for everybody who has access to your money. By the way, I don't know if you have a significant amount of money to lose, but if you do, expect the bank to blame you for any loss through just about any path if your password management isn't squeaky clean... even if that's NOT how a problem happened.

I do not think banking passwords are the only issue. Political organizations tend to have both external enemies and internal infighting. Some of that stuff should probably be set up so that no single person can do anything... the things I'd be especially careful about would be the bank account and the domain registration.

It's true that your biggest problem is probably those three people, though. Especially if any of them actually thought this was a good idea, they're likely to leak accidentally if not on purpose.
posted by Hizonner at 12:34 PM on July 6, 2015 [4 favorites]


I do things like this at times - store sensitive information in Google Drive. As a large company with lots to lose by being hacked, Google is probably as secure as your online bank, so the chance of either being hacked is low but nonzero. So you aren't really opening up much of an attack vector if you're worried about someone getting into Google and stealing your info. There are many, many places that a hacker can get my SSN and address more easily than by getting into my tax returns stored in Google Drive. So I personally find concerns about storing passwords and personal info "in the cloud" to be useless hand-wringing: there are risks everywhere and Google is relatively low-risk. Instead of concerns about whether Google will get hacked, the concern is whether your particular Google accounts might be compromised and therefore give someone access to the info in Google Drive.

There's the concern about someone getting your coworkers' Google passwords. That is a slight increase in the ways you could get attacked: if your coworkers are fastidious about only logging into online banking on a trusted computer, but will log in to these Google accounts on any old device, then there's a chance they could log in to Google on a compromised computer and give up their credentials to an attacker. But if you or your coworkers is working / logging in to online banking on a compromised machine, then the attacker already has your online banking credentials - so in this case adding Google to the mix didn't compromise anything.

In the end, I would say that if these Google accounts are work accounts and everyone is good about being security-minded (logging in only on known computers, not opening unexpected email attachments, etc) then this is probably fine and putting sensitive information in the cloud is no big deal. This is especially true if these are Google business accounts and everyone can be forced to use 2-factor authentication - that way even if a password is compromised the attacker can't get in. But if these are personal Google accounts (where your coworkers are likely to log in just about anywhere, and where they might give their passwords out to SOs, etc) then this is probably a real risk and should be avoided.
posted by Tehhund at 12:38 PM on July 6, 2015


I think in general this is a bad idea. Such things should be stored securely offline. The risk of a bad person obtaining credentials through someone using a compromised network or computer is not zero. The naivety demonstrated by even thinking this is ok suggests your co-workers probably have devices that will end up infested with malware if they aren't already.

Putting everything in one place is even worse.

While this is specifically about countering surveillance, you may find useful materials here that will help you explain to your co-workers.
posted by i_am_joe's_spleen at 12:39 PM on July 6, 2015 [2 favorites]


"As a large company with lots to lose by being hacked, Google is probably as secure as your online bank, "

It's not just about whether Google per se look after your stuff well. It's about whether the devices and networks you use to access Google's services are secure. The answer for people who haven't thought about it is usually no.
posted by i_am_joe's_spleen at 12:40 PM on July 6, 2015


So you aren't really opening up much of an attack vector if you're worried about someone getting into Google and stealing your info.
Containment is a really basic security principle.

There's a difference between getting into one account and ending up with access to whatever that account has... and getting into one account and ending up with access to everything.

You shouldn't give your bank your Google password any more than you should give Google your bank password.

By the way, Google has different operational constraints than a bank (primarily constraints of scale; banks are tiny in comparison) and uses different security measures. It has a significantly different attack surface.
posted by Hizonner at 12:42 PM on July 6, 2015


One more for the "this is a very bad idea" column, only slightly mitigated if you enable two-factor auth (which you should probably be mandating for every user in your organization on any service that supports it).
posted by brennen at 12:50 PM on July 6, 2015


If your organization has anyone doing IT, you should go talk to them about this and probably ignore everything else in this thread.

Here's a few reasons a dedicated password manager is better than a spreadsheet full of passwords:

Password managers can detect what site you're on, and fill in login forms automatically. Not only is this convenient, but it also defeats most spoofing/phishing attacks. (it wouldn't try to send your paypal password to paypa1.com)

Copy/pasting passwords is lousy, because your clipboard is generally accessible to any software running on the computer.

Password managers are extremely serious about encryption and security, since that's their raison d'etre.

Password managers make it very easy to have strong passwords, since they all have good password generators built in.

Google is all about sharing information, to the point where it's easy to accidentally share stuff. Not so with password managers.

I know some password managers have some multi-user support, but I don't know enough about that feature to make any specific recommendations.

Google is probably as secure as your online bank

I dunno. My bank automatically logs me off after a few minutes. Not so for Google.
posted by aubilenon at 12:51 PM on July 6, 2015 [1 favorite]


I use lastpass. :)
posted by kschang at 1:03 PM on July 6, 2015 [1 favorite]


I feel like I should point out that your organization fundamentally misuses passwords. Passwords are designed to authenticate users, not allow actions. This means it's important that each user has their own password that nobody else knows. Otherwise you have zero accountability in case of misuse. What's you plan if any of the shared passwords are ever abused? How will you know who did it?

I understand that this objection might seem a little abstract when it's just your friends and you've never had trust problems before. And maybe some social media sites might make it difficult/impossible. But shared passwords for an organization's banking is sort of unforgivable.
posted by ryanrs at 1:05 PM on July 6, 2015 [8 favorites]


One reason I don't worry too much about this kind of thing is anyone with access to my Google account can simply reset passwords on any site with that email address anyway. So having access to my Google account gives them equivalent privileges to having my passwords.

That said, I do use an encrypted password storage myself, but it probably makes no difference in practice.

i_am_joe's_spleen hits the real issue though --- which applies _even if you use encryption_, which is that if any of these 3 people's computers are compromised its all visible. The only way to prevent that is non-computer storage (paper).
posted by thefoxgod at 1:06 PM on July 6, 2015 [1 favorite]


I keep all my sensitive passwords in a Rolodex, and when I leave the house I hide them. That's where I'm coming from. Probably overkill.
posted by halcyon_daze at 1:51 PM on July 6, 2015


I use lastpass. :)

LastPass Hacked, Change Your Master Password Now [Lifehacker, 06/15/15]
posted by Little Dawn at 1:54 PM on July 6, 2015


(among other roles) I am an Information Assurance Manager. IANYIAM...in order of criticality:

- If your organization has anyone doing IT, you should go talk to them about this and probably ignore everything else in this thread.

Think of a good policy, then follow that. Don't think of an implementation and try to discern if it makes good policy. These guys might have some policies and matching technology ideas.

- I think in general this is a bad idea. Such things should be stored securely offline.

'Never store a password online' would be an example of a sensible policy. What about emailing or texting passwords?

- Passwords are designed to authenticate users, not allow actions...you have zero accountability in case of misuse....How will you know who did it? ...shared passwords for an organization's banking is sort of unforgivable.
'Identity' is for two things. One of those is authentication. Are you who you say you are? If more than one person can authenticate as (for example) AllPowerfulOz123, then Oz can wreak havoc without consequence (even accidentally). If there is person:account::1:1, then we have *non-repudiation*. No one can say, "I didn't do it." There are legal ramifications around money/proprietary data/personal & health info and non-repudiation.

- If they absolutely must have a password database, which is still a mediocre idea, have each of them install something like Keepass.

No need to reinvent the wheel - Keypass is a good tool if you must have a password library.
posted by j_curiouser at 1:55 PM on July 6, 2015 [4 favorites]


One reason I don't worry too much about this kind of thing is anyone with access to my Google account can simply reset passwords on any site with that email address anyway. So having access to my Google account gives them equivalent privileges to having my passwords.

This is an interesting point - my Gmail password is only used for my Gmail. What about your email password? What about the other two people sharing this info on Drive? If your Gmail password is something that you use for other sites and those other sites get hacked, that's a problem. So maybe it would be a compromise to suggest that they make sure their Gmail passwords are only used for Gmail and please change them if that is not the case.

If you're looking for a password manager, I've been using Dashlane. It analyzes your passwords to tell you which ones are insecure and which ones are reused. It generates and saves new secure passwords. They claim that their employees cannot access your passwords because they're encrypted. Dashlane employees also do not have access to the Master Password you set up in Dashlane. If you forget your Master Password, you have to reset your account, deleting all of your info - there are no password hints or password resets. I'm sure it's not perfect because nothing is but it's worked pretty well for me.
posted by kat518 at 1:58 PM on July 6, 2015


If more than one person can authenticate as (for example) AllPowerfulOz123, then Oz can wreak havoc without consequence (even accidentally).

Just to build on this idea a bit more so it's easier to understand, here are a could example scenarios.

Jack wants Jill gone from the organization for whatever reason. So Jack gets Jill's bank account and routing number*, logs into the shared online bank account, and cuts her a check for $5k. A few days later, Jack "discovers" the low balance and the suspicious transaction.

Now what? You're fucked. Even if you are 95% sure Jack set the whole thing up, you probably still can't fire him for it (enjoy the lawsuit if you do). The mistrust from this event will break your organization.

Or hey, framing someone for embezzlement is kind of high stakes. So maybe it's just a drunk tweet/prank sent from the shared twitter account. One that looks much, much less funny when you're sober the next morning. But the sender isn't brave enough to fess up, so people are suspicious of each other forever.

Or not even drunk tweeting, but ambien tweets that the sender legit doesn't remember. Those are fun, too.

The point is, shared passwords prevent you from having the kind of accountability needed to keep people honest and to clean up problems after they occur. Instead you end up with massive trust issues that are impossible to fix.

* Getting a coworker's bank info is easy. You can look in her purse and find her checkbook, or look at online check images of a check she once wrote to the corp, or poke through payroll's binder of direct deposit authorization forms, etc.
posted by ryanrs at 2:29 PM on July 6, 2015 [3 favorites]


Oh my god, this is such a terrible cringeworthy bad idea that i stopped what i was doing and got out my laptop just to reply and say how awful it is. Seriously.

This is the kind of thing several clients and one boss have tried to strongarm me in to doing. I have also been around for "who logged in and did this? well we don't know lol because everyone just shares the XYZ account" situations.

You want to use something like roboform or keepass.

Also, for fucks sake, stuff like paypal needs one person who is the Official Pointperson for that account. No one else gets to sign in. Some stuff makes sense to make multiple accounts for, some stuff needs one account that's the businesses account and well, one person handles that. If multiple people must have access, then you need some kind of sign in sheet/verification system or a specific workstation that's used for accessing That One Thing.

You've been given several reasons why this is bad and how it could implode, but yes having a spreadsheet of passwords(which, ugh, i've been forced to do over protestations by a boss to do) is fucking ridiculously bad.

There is no legitimate reason for everyone to have access to the paypal, twitter, etc. That is one persons job. It's reasonable to store that info in a database, but one person has the signin that allows access to that database signing in to that site.

Your concern here isn't just someone leaving a system signed in or getting malware/rootkitted/etc, it's someone fucking something up and then blaming it on someone else and you can never ever prove it as described above.

If you think someone jacking cash from a till is bad, wait until they frame someone else and steal stuff on a large scale. Or even just wipe stuff and screw things up.

Or their angry ex does, and it's indistinguishable. Or a million other failure modes.

None of these services will have any sympathy for you or help you out if you get boned over and try and work with their support. Especially paypal and the bank. You'll just get "so uh, you gave them the login details and they were an authorized user and then they did this thing you didn't like? we're sorry but LOLOLOLOLOLOLOL".

The naivety demonstrated by even thinking this is ok suggests your co-workers probably have devices that will end up infested with malware if they aren't already.

THIS is also a very good point. Is IT even managed in any meaningful way at this organization?

If you must have a file like this, print it out and store it in the fucking safe.

And ugh, i really hope this isn't the kind of place where the only person who could or would have said this was wrong was already pushed out. I've seen that too.
posted by emptythought at 4:14 PM on July 6, 2015 [4 favorites]


I'm not gone yet, emptythought.

In answer to your query, IT is not managed in any meaningful way. It's a new organization, 3 people, none of us are IT people, and I don't foresee an IT person for a while. And we have to share duties across multiple platforms. That's just how it is for now.

This is apparently a common practice. I was told that political consulting firms routinely set up a password file like this on a Google Drive for their clients. And I was told that this is routinely run by legal, and that it "comports with due diligence."
posted by halcyon_daze at 5:52 AM on July 7, 2015


And I was told that this is routinely run by legal, and that it "comports with due diligence."
I've been doing computer security for 25 years or more. If I had a nickel for every time during those 25 years that I've seen some idiot screw something up by asking a lawyer for advice about something other than law, or some moronic lawyer screw something up by opining about something they didn't have a clue about, I would be retired now.

Unless they are specialists with considerable "extra" knowledge outside of the law, lawyers are not qualified to have opinions about information security. Willingness to offer such an opinion is usually a sign of a bad lawyer.
posted by Hizonner at 7:18 AM on July 7, 2015 [2 favorites]


comports with due diligence

hmmm..."Is it legal?" is a different question than "Is it technically sufficient?"

severity = liklihood of event * damage of event. That you understand this is really the only thing that matters. Make sure it is your legal department officially acknowledging and accepting the risk, not you (in email).
posted by j_curiouser at 9:36 AM on July 7, 2015


The lawyer is talking about your risk of legal liability. That is just one kind of risk. It is a fine, no doubt competent answer to the specific question "will this incur legal liability for our organisation". It does not answer the question "will this expose us to serious risk."
posted by i_am_joe's_spleen at 6:12 PM on July 7, 2015 [2 favorites]


Consider the political implications of "the other side" (whoever they are) getting the keys to your kingdom. Consider the reputational risk of having this happen to you.
posted by i_am_joe's_spleen at 6:14 PM on July 7, 2015


This is apparently a common practice

So is using lousy passwords, and people get hacked because of it.
posted by aubilenon at 10:19 PM on July 7, 2015


on ars today, for whoever is still listening...

What amateurs can learn from security pros about staying safe online
posted by j_curiouser at 12:02 PM on July 24, 2015


« Older eBay Issue: Confirming Order Cancellation as a...   |   I got my head checked | By a jumbo jet Newer »
This thread is closed to new comments.