Google admitted it had been storing a large number of G-Suite passwords in plain text since 2005. This means it would only take a simple copy-and-paste to steal the passwords if somebody were able to access the database. Normally, Google only stores user passwords after they’ve been through a cryptographic hashing algorithm, specifically so that they can’t be read by humans.
Google announced that it has been storing some G Suite user passwords in plain text
The issue, which dates all the way back to 2005 relates to a function that gave G-Suite administrators the ability to set and recover passwords for their company users. This function wasn’t developed correctly and whenever an administrator onboarded a new user or recovered a password, the security credentials were stored in an unencrypted manner by the admin console. Over the 14 years since, this has grown into the list that Google disclosed last week.
The list of plain text G-Suite passwords was discovered in April, with the search giant saying, “… we recently notified a subset of our enterprise G-Suite customers that some passwords were stored in our encrypted internal systems unhashed.” Google also claims to have fixed the issue in the simplest way possible, saying, “The functionality to recover passwords this way no longer exists.” G-Suite admins no longer have the ability to recover passwords for members of their company. It is not clear at this point, whether Google plans to replace the feature with something similar.
The good news here is that this issue only affected Google G-Suite users. “This is a G-Suite issue that affects business users only–no free consumer Google accounts were affected.” You don’t have to worry about your Gmail password being stored in this insecure manner just yet.
As well as closing off the problem by removing the recover password feature, Google also announced that it has been working with G-Suite admins to reset all of the affected passwords and the search giant told TechCrunch that it has informed the data protection regulators of the exposure.
According to Google, the unencrypted list always remained on its secure internal framework and there has been no evidence of, “improper access or misuse of the affected passwords.” It is still disheartening to learn, however, that in a time when our online security is more important than ever, the companies that we rely on aren’t acting as responsibly as they should be.
It wasn’t that long ago that Facebook was lambasted for keeping a lot of user passwords in a plain text database. The social media giant tried to defend itself, saying that the database was only available internally, to Facebook employees, but the fact remained that basic carelessness had put the security of millions of Facebook, Facebook Lite, and Instagram users in jeopardy. It has now come to light that Google is guilty of the same crime.