Passwords of G Suite enterprise users were stored in plain text since 2005

Passwords of G Suite enterprise users were stored in plain text since 2005

Passwords of G Suite enterprise users were stored in plain text since 2005

Google recently announced that an error in functionality in G Suite that allowed domain administrators to set and recover passwords for business users, stored a copy of unhashed passwords in the company’s encrypted infrastructure since 2005. However, such passwords were not improperly accessed or misused by company employees.

While Google’s standard policy for regular users is to assign “hash functions” to every user password so that the company’s software can verify if an user has entered the correct password when logging in without actually seeing the password, the company runs a different policy when it comes to storing and securing passwords of G Suite users who are mostly business customers.

Until recently, the company ran a unique policy for G Suite users that allowed domain administrators to set and recover passwords for their company’s users. Thanks to this functionality, companies that owned G Suite enterprise accounts could manually set passwords for their new employees and the latter could receive their account information on their first day of work and for account recovery.

G Suite functionality stored passwords in plain text

Recently, Suzanne Frey, vice president of Engineering for Cloud Trust at Google said that because of an error in the G Suite functionality that allowed companies to manually set passwords, the admin console stored a copy of unhashed passwords in Google’s secure encrypted infrastructure. These passwords were, in fact, stored in plain text since 2005 and were recently identified by the company.

“Google’s policy is to store your passwords with cryptographic hashes that mask those passwords to ensure their security. However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed.

“This is a G Suite issue that affects business users only–no free consumer Google accounts were affected–and we are working with enterprise administrators to ensure that their users reset their passwords. We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials,” Frey said.

She added that Google also discovered that it had inadvertently stored a subset of unhashed passwords in its secure encrypted infrastructure since January this year and these passwords were stored for a maximum of 14 days. As of now, both the errors have been fixed and Google is no longer running the functionality for G Suite users.

“In a matter of two weeks, Google have shown a major lack of cybersecurity best practices, starting with a security flaw in their advanced protection program that resulted in Google having to recall the Titan Security Keys, and now it just gets worse to find out that they have failed to encrypt G Suite customers passwords for up to 14 years,” says Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic.

“This simply just makes it too easy for cybercriminals in a world when we must make it more difficult. Passwords are meant to be a secret and this poor practice means G Suite users passwords are not a secret, reducing the security extremely to being easily abused by both external criminals or malicious insiders within Google,” he adds.

ALSO READ: Up to 600m user passwords were stored on Facebook servers in plain text

Copyright Lyonsdown Limited 2021

Top Articles

Amazon fined a staggering £636 million in Europe for GDPR violations

Luxembourg’s National Commission for Data Protection (CNPD) has imposed an unprecedented fine of €746 million (£636 million) on Amazon for GDPR violations.

SysAdmin Day 2021: Paying thanks to the unsung IT heroes

Today is SysAdmin Day when we should pay tribute to the system administrators working around the clock to keep business running smoothly

Former First Sea Lord says Royal Navy ships are vulnerable to hackers

A former First Sea Lord has warned that Royal Navy ships and Britain's merchant fleet could become sitting ducks for hackers if adversaries find ways to knock out satellite communications.

Related Articles

[s2Member-Login login_redirect=”” /]