Google Stored G Suite Passwords in Plaintext Since 2005

g suite google password

Google said it had stored G Suite enterprise users’ passwords in plain text since 2005 marking a giant security faux pas.

Google stored G Suite passwords in plaintext for almost 15 years, the cloud giant acknowledged on Tuesday evening.

G Suite, Google’s brand of cloud computing, productivity and collaboration tools, software and products, has more than 5 million users as of February. Google said that it recently discovered the passwords for a “subset of enterprise G Suite customers” stored in plain text since 2005.

“This practice did not live up to our standards,” Suzanne Frey, VP of engineering for Google Cloud Trust, said in a post. “To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

Enterprise, not consumer, accounts were impacted, said Google.

The best security practice is to store passwords with cryptographic hashes that mask those passwords to ensure their security – so when users set their passwords, instead of remembering the exact characters of the password, companies will scramble it with a “hash function.”

However, Google said that within G Suite, it had made an error implementing a G Suite console for domain administrators that resulted in passwords being stored in plaintext – meaning they didn’t have cryptographic hashes and were left unscrambled.

The tool, located in the administrator console, allowed administrators to upload or manually set user passwords for their company’s users  and was meant to help them onboard new users. However, due to implementation error the admin console was inadvertently storing passwords in plain text. The functionality no longer exists, said Google.

In a separate issue, Google also discovered that starting in January 2019, it inadvertently stored a subset of unhashed passwords – for a maximum of 14 days – in its encrypted infrastructure.

“This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords,” said Frey. “We will continue with our security audits to ensure this is an isolated incident.”

Google has notified G Suite administrators to change impacted passwords and will reset accounts that have not already done so themselves. Google did not specify how many users were impacted by either incident.

The main issue is that the full extent of a security faux pas like this for years to come is still unknown, Robert Prigge, president of Jumio, said.

“That means, when G Suite users are logging into their accounts, we want to believe, really believe, that they are the legitimate account owners,” said Prigge in an email. “But, at the end of the day, we don’t know for sure. And the weakest link in the security chain is again Google’s username and password. Thanks to the Dark Web, phishing attacks and social engineering, there’s a huge quantity of user credentials available for purchase (for pennies).”

Another concern is the timeline: The fact that Google just recently discovered that the G Suite passwords were stored in plaintext since 2005 is troubling, Kevin Gosschalk, CEO of Arkose Labs said.

“Companies need to be constantly re-evaluating and testing their own security measures to make sure lapses in security or, in this instance, a faulty password setting and recovery offering, does not jeopardize its customers or their accounts,” Gosschalk said via email. “This mistake should have been recognized and prevented fourteen years earlier with proactive, ongoing security testing.”

Google is only the latest conglomerate tech company to find itself in hot water due to how it stores passwords. In March, Facebook said it found that hundreds of millions of user passwords were stored in plain text for years.  And a year ago in May 2018, Twitter said that a glitch caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling  to change their passwords.

Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.

Suggested articles