G Suite passwords stored in plain text for 14 years

Google reveals a bug prevented its cryptography system encrypting enterprise users' login details since 2005

G Suite on laptop under a magnifying glass

Google has revealed that some G Suite passwords have been stored in plaintext, meaning without encryption, for 14-years.

The tech giant said it had recently discovered a bug that's been around since 2005 and has begun resetting any passwords that might be affected, as well as alerting G Suite administrators about the issue.

"We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed," said Suzanne Frey, VP of Google's engineering and cloud trust division.

"This is a G Suite issue that affects business users only--no free consumer Google accounts were affected--and we are working with enterprise administrators to ensure that their users reset their passwords."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Frey added that Google has been conducting a thorough investigation and, so far, hasn't seen any evidence of improper access or misuse of these affected G Suite credentials.

The blog post goes into great detail about Google's policy on storing passwords with cryptographic hashes that mask them. Cryptography is a one-way system, as in only seen at Google's end, where it scrambles user passwords with a hash function - so it becomes something like "72i32hedgqw23328". This is then stored with the relevant user name, encrypted and saved to disk. The next time the user signs in, the password is scrambled in the same way to see if it matches what Google has stored.

But this wasn't the case back in 2005 for one particular feature. In the enterprise version of G Suite, Google allowed domain administrators with tools to set and recover passwords; supposedly because this was highly requested. This tool was located in the admin console and let administrators upload or manually set user passwords.

The idea was to help administrators load on new users but the function would inadvertently store a copy of the unhashed password in the admin console. Google stressed that these passwords remained in its secure encrypted infrastructure and that the issue had been fixed, but 2005 was a long time ago.

While that's bad enough, further password encryption flaws were found by the company as it was troubleshooting new G Suite customer sign-up flows. It discovered that from in January 2019 it had inadvertently stored a subset of unhashed passwords in its secure encrypted infrastructure. These passwords were only stored for a maximum of 14 days and once again, Google said the issue has been fixed.

This is one of a number of incidents reported by tech companies in recent times, where password encryption has been hampered by a bug or fault. Last year, Twitter warned its users to update their passwords after the company identified a flaw in its systems that could have allowed staff at the company to view them in plaintext form. Twitter sent an email to users explaining that the bug had been fixed and the resulting internal investigation "showed no indication of a breach of misuse by anyone".

Advertisement - Article continues below

In Google's defence, despite how long the bug has been in G Suite, its notification has not tried to mask anything. Unlike Facebook, which earlier this year notified users that "some" passwords had been stored in plaintext, only explaining much further down its blog post that actually hundreds of millions of passwords for Facebook, Instagram and Facebook Lite were stored without encryption.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020