UPDATED 20:41 EDT / MAY 21 2019

SECURITY

Google confesses it stored some G Suite passwords in plain text for years

Google LLC warned today that the passwords of some G Suite business customers had been stored in plain text for as long as 14 years.

The passwords were stored unhashed, that is unencrypted, in Google internal systems with no suggestion that they may have been accessed, though they were potentially a security risk.

The first failure to encrypt the passwords relates to an implementation error around the time G Suite was launched. More specifically, a coding error resulted in manually created passwords as opposed to automatically created passwords, such as those for new employees, stored in plain text. Google has since removed the ability for administrators to create manual passwords as well as removing the plain text passwords.

A coding error from the early days of G Suite wasn’t alone is creating the problem. The second failure, discovered in January, involved Google inadvertently storing a subset of unhashed passwords on secure encrypted infrastructure.

“These passwords were stored for a maximum of 14 days,” Suzanne Frey, vice president of engineering at Google’s Cloud Trust, said in a blog post. “This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords.”

Frey spent significant time explaining how encryption works in an apparent attempt to assure users that their passwords are safe, perhaps more so in the future than in the past.

G Suite business users affected have been notified of the issue and asked to change impacted passwords. Google added that it will reset affected accounts where administrators fail to take action. In addition, Google is providing G Suite administrators with two-step verification options, including security keys, which Google uses to give its own employee accounts an additional layer of security.

“We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security,” Frey concluded. “Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better.”

Photo: barto/Flickr

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.