G Suite passwords were stored in plain text for 14 years

By on
G Suite passwords were stored in plain text for 14 years

Google revealed that the passwords of some of its enterprise G Suite users were stored in plain text, due to an issue dating back to 2005.

The issue stems from the implementation of a feature allowing administrators to manually set and recover passwords, causing the G Suite admin console to store a copy of the unhashed password.

Google said this only affected business users and no free consumer-grade Google accounts were affected.

“We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security,” Google VP for engineering for Cloud Trust Suzanne Frey said in a blog post.

“Here we did not live up to our own standards, nor those of our customers. We apologise to our users and will do better.”

Google uses a hash function to encrypt user passwords and store them alongside usernames, which are then encrypted before being saved.

G Suite previously provided domain administrators with tools to set and recover passwords, where they can upload or manually set user passwords for their company’s users. The company said it “made an error” on the admin console storing a copy of the unhashed password.

“This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure,” Frey said.

“This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

Frey added that Google discovered that it inadvertently stored a subset of unhashed passwords starting in January 2019 for up to 14 days, but said the issue has since been fixed and found no evidence of improper access to or misuse of the affected passwords.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © CRN Australia. All rights reserved.

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register


How do you feel about Telstra's new services play?
Telstra has become a direct threat - we'll only work with other carriers
We can live with this - we'll still use Telstra networks
This is an opportunity for us - customers liked working with Telstra's sub-brands
This changes nothing - Telstra was always a competitor
View poll archive

Log In

Username / Email:
  |  Forgot your password?