In essence that's what I do, except with a Keepass file in OneDrive. It's been working pretty well for me the last few years. Not sure how insecure it is, though. I imagine it'd take someone cracking my OneDrive password to gain access to the Keepass file which they'd subsequently have to crack. Assuming the passwords are of high enough entropy (mine are(I hope)), you'd probably be pretty safe.
It's funny they tell people to use different password for all sites except the presence of master password makes it far more vulnerable especially when people can be using weak password as they don't want to lose it.
If you are using a weak password, that's always a problem...
But a masterpassword for offline storage is a completely different story, because even if the world knew your masterpassword, they still couldn't do anything with it, because they need to get to your dropbox file first.
If you use similar passwords everywhere, any site can read your password and use it to login somewhere else... You are supposed to use long random passwords for websites because you have to assume that every single password gets compromised and the website you are on tries to hack all other accounts.
Depends on the length of your password, really, and how and where you enter it. All it takes is a keystroke logger to get your master password, and this can be done even with copy/paste.
Probably worse than my mom's LastPass setup, I think.
* Assuming your dropbox doesn't have every-login 2FA, you're missing on that. Relying on the master passphrase (notice I didn't say password) alone for anything is a bad idea imo. But I'll give you the option here of saying "yes, my dropbox has 2FA". In your case you have a dropbox password AND a master pass to remember. That's 2:1 right there.
* Next we have that your encrypted excel is zip encrypted last I looked - I could be wrong - but I at least thought that Office encryption was just them using zip. So that's vulnerable to an offline attack if someone has your file. Symmetric 256bit AES encryption (again, iirc) so it really doesn't matter how good your password is if 256bit AES isn't good enough for you. Compare this to an offline blob from something like LastPass that uses much stronger 1024 or 2048bit asymmetric encryption.
* Next, we have that your excel file when opened on some foreign computer is maybe going to sit in the %temp% folder until it's cleared. The entire thing will be clear-text in ram at once no doubt. Compared to you accessing LastPass or similar from a browser that's designed to clear itself after logging off and only one password is in RAM at at time (supposed to be anyhow).
* Small things like immediate access, organization, accessing on your phone... All areas that password managers will win no doubt.
* Almost done, but using a password manager will let you do things like "detect password change" on a site you're accessing and update that password automatically. It'll let you sign in to sights for the first time and auto-create a new entry. This goes a LONG way into keeping an updated and current list.
* Finally, in terms of just general security... I can open my pass manager and access a password without copy and paste, and without anyone standing over my shoulder seeing it, I can share to a non-secure friend or co-worker in a way that at least encourages good behavior and when I update it they get the new pass without me informing them. With an excel file you can reliably do none of those things.
That's not to say someone couldn't do it better than a pass manager. Just that I lead with my point. My Mom has a more secure setup than many tech people because she wasn't allowed to make any errors.
