UPDATED 20:41 EDT / MAY 21 2019

SECURITY

Google confesses it stored some G Suite passwords in plain text for years

Google LLC warned today that the passwords of some G Suite business customers had been stored in plain text for as long as 14 years.

The passwords were stored unhashed, that is unencrypted, in Google internal systems with no suggestion that they may have been accessed, though they were potentially a security risk.

The first failure to encrypt the passwords relates to an implementation error around the time G Suite was launched. More specifically, a coding error resulted in manually created passwords as opposed to automatically created passwords, such as those for new employees, stored in plain text. Google has since removed the ability for administrators to create manual passwords as well as removing the plain text passwords.

A coding error from the early days of G Suite wasn’t alone is creating the problem. The second failure, discovered in January, involved Google inadvertently storing a subset of unhashed passwords on secure encrypted infrastructure.

“These passwords were stored for a maximum of 14 days,” Suzanne Frey, vice president of engineering at Google’s Cloud Trust, said in a blog post. “This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords.”

Frey spent significant time explaining how encryption works in an apparent attempt to assure users that their passwords are safe, perhaps more so in the future than in the past.

G Suite business users affected have been notified of the issue and asked to change impacted passwords. Google added that it will reset affected accounts where administrators fail to take action. In addition, Google is providing G Suite administrators with two-step verification options, including security keys, which Google uses to give its own employee accounts an additional layer of security.

“We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security,” Frey concluded. “Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better.”

Photo: barto/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU

Cookies

We employ the use of cookies. Find out more.