If your Google account happens to be one of the billion Internet passwords The New York Times just reported to have been amassed by a Russian gang, then your docs, your mail, and your puppy photos are in the hands of a ... well ... Russian gang. Unless you have 2-Step Verification turned on.
We have no idea if any of these passwords are actually Google accounts, but really it makes no difference. The password system for proving that you are you is completely broken. Almost all passwords are weak even when websites say they're strong. If your password doesn't look like this ...
8.;=>#qH->8'6Mv... it's weak.
If it does look like that, then it's only secure as long as the Russian gang or any other hacker hasn't stolen it.
So far, the best way to protect your accounts is to use 2-Step Verification.
With 2-Step, access to your account requires not only something you know (password), but also something you have (your phone). After you have it turned on, each time you log into your account you will also enter a code produced by your phone's authenticator app. Once you do this on a device that you trust, you won't have to do it again. If you lose your phone, you can use one of several codes you print out and store in your wallet.
This process does take some time to set up. And it does add a step when signing in to new devices. But once you get through the set-up phase, your experience is almost the same as without 2-step turned on. Except for that devastating data loss part.