[jillesvangurp]

I recently had to coach a co-worker to do something more sane than store her passwords in a plain text file on her private Google Drive (seriously!). This is what real people do when you confront them with a lot of complex security. The reason I discovered this was that I had to talk her through setting up 2FA for our company's Google account because she lost her phone. And then I discovered that she was copy pasting passwords from this stupid text file. Which btw. really sucks on mobile.

She's now a Bitwarden user. Mind properly blown. Next she'll be using it to use generated passwords. Amazing. Bonus points if she starts using 2FA for her private accounts. From what I've seen she doesn't and she uses a small set of easily guessable passwords all over the place. But at least they now come from a password manager. But it's not really a scalable solution because I don't have the time or patience to coach all of our people. And yes, we do have a security policy that spells all of this out. I wrote it. It helps but people default to doing the wrong things.

Ultimately, that's why we need to get rid of passwords. There's a group of users for whom all this security stuff is just way too difficult. We need to make it simpler for them to stay secure, not harder. Forcing them to remember lots of different passwords backfired and necessitated password managers. Password less logins are now a thing with several companies. It takes a bit of ingenuity to make that work but it usually boils down to multi device/factor authentication with some ultimate fallback.

[pcthrowaway]

> I recently had to coach a co-worker to do something more sane than store her passwords in a plain text file on her private Google Drive (seriously!)

I would have assumed this was an insecure way to store passwords also, but I was using lastpass for the last 2 years, so I'm in no place to talk.

[javajosh]

>I recently had to coach a co-worker to do something more sane than store her passwords in a plain text file on her private Google Drive

Oh, so you showed her how to encrypt and decrypt plain text files with readily available tools? Because honestly that's the only thing wrong with her solution.

[lazide]

I'd really not recommend doing that - Google Drive has mangled so many files when edited in place over the years, I'm barely comfortable using it for anything except write-once-read-many things like PDF copies of things.

[bonestamp2]

Yes, what we need is a good proof of identity system -- that's all username/password are trying to achieve. There are several systems out there, including some standards. I guess it's kind of a chicken/egg situation where few logins support it because few people have it and few people have it because few logins support it.

[paulryanrogers]

Passwordless systems are shitty in all kinds of ways: difficult for users to understand, must have multiple hardware tokens, rely on 3P (who likely needs a password anyway), lock in to one vendor, difficult to recover from lost device, sometimes uses derived values--putting all past and future values at risk.

They'll have an answer for every critique, but they're usually weak responses that assume tech literate users.

[jrm4]

Explain exactly why her solution was so bad, especially as compared to the others, because I'm not at all convinced that it is.

Sure, it's perhaps dangerous to give Google all that power, but I quite literally would trust this more than any third-party password manager that does any type of off-your-computer storage.

[dublinben]

OP already mentioned that the UX on mobile was really bad.

A real password manager (like Bitwarden) would be integrated into the mobile OS, and automatically prompt to fill passwords. It also doesn't provide any functionality to generate secure, unique passwords for each site, so it encourages insecure reuse of passwords. Further, it can't notify the user when a password has been compromised and should be changed.

Different people have different threat models, and improving usability of good tools can improve security more than perfect tools would.

[SturgeonsLaw]

If she's signed in to Google Drive on a computer and that text file is synced locally, it can be read by any old process that has just user level privileges. No elevation or anything tricky required.