Google warns of G Suite plain-text password gaffe

May 22, 2019 | 10:52

Tags: #gmail #google-docs #g-suite #insecurity #password #plain-text #plain-text-password #security #suzanne-frey

Companies: #alphabet #google

Google has warned users of its G Suite enterprise platform that it inadvertently stored passwords in plain text format for 14 years - after 'an error' was made when implementing administrator password control functionality.

Designed for enterprise use, G Suite bundles various Google productivity offerings - including Gmail and Google Docs - into a single platform designed to offer companies better control over users and their data. As part of G Suite, Google makes certain promises regarding the security of said users and data - but has this week confirmed it had inadvertently been storing passwords in plain text format for the past 14 years.

'In our enterprise product, G Suite, we had previously provided domain administrators with tools to set and recover passwords because that was a common feature request. The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company's users,' explains the vice president of engineering for Google Cloud Trust Suzanne Frey in the company's mea culpa. 'We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.'

In addition to this long-running bug, Frey has confirmed that a second bug has been storing 'a subset of unhashed passwords' since January 2019 but only for a maximum period of 14 days. The company has reached out to G Suite administrators advising them to change passwords impacted by both gaffes.

Google's error echoes that of Facebook, which in March this year admitted to storing hundreds of millions of user passwords in plain text. Where Facebook's password file was accessible by staff, however, Google claims its own equivalent was stored in a secure, encrypted infrastructure and not directly accessible.


Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04