Google recently announced that an error in functionality in G Suite that allowed domain administrators to set and recover passwords for business users, stored a copy of unhashed passwords in the company's encrypted infrastructure since 2005. However, such passwords were not improperly accessed or misused by company employees.
While Google's standard policy for regular users is to assign “hash functions” to every user password so that the company's software can verify if an user has entered the correct password when logging in without actually seeing the password, the company runs a different policy when it comes to storing and securing passwords of G Suite users who are mostly business customers.
Until recently, the company ran a unique policy for G Suite users that allowed domain administrators to set and recover passwords for their company’s users. Thanks to this functionality, companies that owned G Suite enterprise accounts could manually set passwords for their new employees and the latter could receive their account information on their first day of work and for account recovery.
G Suite functionality stored passwords in plain text
Recently, Suzanne Frey, vice president of Engineering for Cloud Trust at Google said that because of an error in the G Suite functionality that allowed companies to manually set passwords, the admin console stored a copy of unhashed passwords in Google's secure encrypted infrastructure. These passwords were, in fact, stored in plain text since 2005 and were recently identified by the company.
"Google’s policy is to store your passwords with cryptographic hashes that mask those passwords to ensure their security. However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed.
"This is a G Suite issue that affects business users only–no free consumer Google accounts were affected–and we are working with enterprise administrators to ensure that their users reset their passwords. We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials," Frey said.
She added that Google also discovered that it had inadvertently stored a subset of unhashed passwords in its secure encrypted infrastructure since January this year and these passwords were stored for a maximum of 14 days. As of now, both the errors have been fixed and Google is no longer running the functionality for G Suite users.
"In a matter of two weeks, Google have shown a major lack of cybersecurity best practices, starting with a security flaw in their advanced protection program that resulted in Google having to recall the Titan Security Keys, and now it just gets worse to find out that they have failed to encrypt G Suite customers passwords for up to 14 years," says Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic.
"This simply just makes it too easy for cybercriminals in a world when we must make it more difficult. Passwords are meant to be a secret and this poor practice means G Suite users passwords are not a secret, reducing the security extremely to being easily abused by both external criminals or malicious insiders within Google," he adds.