I'm more appalled that he's storing his client's account passwords in a spreadsheet. It's ridiculously easy to accidentally share the wrong doc with the wrong people.
Isn't the deal with Google Docs that you can revoke that access a second after you realize you made the mistake? Unlike, say, sending the doc as an attachment?
What would be the best practice way to do this? Everyone could store a list in an unconnected way but it becomes an issue when passwords are changed and new entries are made to the list.