G Suite passwords stored in plain text for 14 years

Google reveals a bug prevented its cryptography system encrypting enterprise users' login details since 2005

G Suite on laptop under a magnifying glass

Google has revealed that some G Suite passwords have been stored in plaintext, meaning without encryption, for 14-years.

The tech giant said it had recently discovered a bug that's been around since 2005 and has begun resetting any passwords that might be affected, as well as alerting G Suite administrators about the issue.

"We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed," said Suzanne Frey, VP of Google's engineering and cloud trust division.

"This is a G Suite issue that affects business users only--no free consumer Google accounts were affected--and we are working with enterprise administrators to ensure that their users reset their passwords."

Frey added that Google has been conducting a thorough investigation and, so far, hasn't seen any evidence of improper access or misuse of these affected G Suite credentials.

The blog post goes into great detail about Google's policy on storing passwords with cryptographic hashes that mask them. Cryptography is a one-way system, as in only seen at Google's end, where it scrambles user passwords with a hash function - so it becomes something like "72i32hedgqw23328". This is then stored with the relevant user name, encrypted and saved to disk. The next time the user signs in, the password is scrambled in the same way to see if it matches what Google has stored.

But this wasn't the case back in 2005 for one particular feature. In the enterprise version of G Suite, Google allowed domain administrators with tools to set and recover passwords; supposedly because this was highly requested. This tool was located in the admin console and let administrators upload or manually set user passwords.

The idea was to help administrators load on new users but the function would inadvertently store a copy of the unhashed password in the admin console. Google stressed that these passwords remained in its secure encrypted infrastructure and that the issue had been fixed, but 2005 was a long time ago.

While that's bad enough, further password encryption flaws were found by the company as it was troubleshooting new G Suite customer sign-up flows. It discovered that from in January 2019 it had inadvertently stored a subset of unhashed passwords in its secure encrypted infrastructure. These passwords were only stored for a maximum of 14 days and once again, Google said the issue has been fixed.

This is one of a number of incidents reported by tech companies in recent times, where password encryption has been hampered by a bug or fault. Last year, Twitter warned its users to update their passwords after the company identified a flaw in its systems that could have allowed staff at the company to view them in plaintext form. Twitter sent an email to users explaining that the bug had been fixed and the resulting internal investigation "showed no indication of a breach of misuse by anyone".

In Google's defence, despite how long the bug has been in G Suite, its notification has not tried to mask anything. Unlike Facebook, which earlier this year notified users that "some" passwords had been stored in plaintext, only explaining much further down its blog post that actually hundreds of millions of passwords for Facebook, Instagram and Facebook Lite were stored without encryption.

Featured Resources

Five lessons learned from the pivot to a distributed workforce

Delivering continuity and scale with a remote work strategy

Download now

Connected experiences in a digital transformation

Enable businesses to meet the demands of the future

Download now

Simplify to secure

Reduce complexity by integrating your security ecosystem

Download now

Enhance the safety and security of your people, assets and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now

Recommended

'Largest ever' Magecart hack compromises 2,000 online stores
hacking

'Largest ever' Magecart hack compromises 2,000 online stores

15 Sep 2020
Infocyte integrates with Palo Alto Networks Cortex XSOAR
cyber security

Infocyte integrates with Palo Alto Networks Cortex XSOAR

19 Aug 2020
Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020

Most Popular

Accenture ploughs $3 billion into cloud migration support group
digital transformation

Accenture ploughs $3 billion into cloud migration support group

17 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google takes on Zoom with launch of Meet hardware
video conferencing

Google takes on Zoom with launch of Meet hardware

16 Sep 2020