Passwords of G Suite enterprise users were stored in plain text since 2005

Passwords of G Suite enterprise users were stored in plain text since 2005

Passwords of G Suite enterprise users were stored in plain text since 2005

Google recently announced that an error in functionality in G Suite that allowed domain administrators to set and recover passwords for business users, stored a copy of unhashed passwords in the company’s encrypted infrastructure since 2005. However, such passwords were not improperly accessed or misused by company employees.

While Google’s standard policy for regular users is to assign “hash functions” to every user password so that the company’s software can verify if an user has entered the correct password when logging in without actually seeing the password, the company runs a different policy when it comes to storing and securing passwords of G Suite users who are mostly business customers.

Until recently, the company ran a unique policy for G Suite users that allowed domain administrators to set and recover passwords for their company’s users. Thanks to this functionality, companies that owned G Suite enterprise accounts could manually set passwords for their new employees and the latter could receive their account information on their first day of work and for account recovery.

G Suite functionality stored passwords in plain text

Recently, Suzanne Frey, vice president of Engineering for Cloud Trust at Google said that because of an error in the G Suite functionality that allowed companies to manually set passwords, the admin console stored a copy of unhashed passwords in Google’s secure encrypted infrastructure. These passwords were, in fact, stored in plain text since 2005 and were recently identified by the company.

“Google’s policy is to store your passwords with cryptographic hashes that mask those passwords to ensure their security. However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed.

“This is a G Suite issue that affects business users only–no free consumer Google accounts were affected–and we are working with enterprise administrators to ensure that their users reset their passwords. We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials,” Frey said.

She added that Google also discovered that it had inadvertently stored a subset of unhashed passwords in its secure encrypted infrastructure since January this year and these passwords were stored for a maximum of 14 days. As of now, both the errors have been fixed and Google is no longer running the functionality for G Suite users.

“In a matter of two weeks, Google have shown a major lack of cybersecurity best practices, starting with a security flaw in their advanced protection program that resulted in Google having to recall the Titan Security Keys, and now it just gets worse to find out that they have failed to encrypt G Suite customers passwords for up to 14 years,” says Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic.

“This simply just makes it too easy for cybercriminals in a world when we must make it more difficult. Passwords are meant to be a secret and this poor practice means G Suite users passwords are not a secret, reducing the security extremely to being easily abused by both external criminals or malicious insiders within Google,” he adds.

ALSO READ: Up to 600m user passwords were stored on Facebook servers in plain text

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]