Google admits storing passwords in plain text for over 10 years

Posted on May 23, 2019


Search giant Google has recently disclosed that it has discovered an issue whereby a number of G Suite users have had their passwords being stored in plain text format.

According to the company, which announced the discovery in a blog post earlier this week, the problem has been around for over a decade, since 2005. However, Google does not believe that any of the passwords were inappropriately accessed after finding no evidence for this to be the case. As a result of the discovery, the company will be resetting any of the passwords that may have been compromised as well as informing G Suite administrators about the issue.

Google did not state how many passwords were being stored this way, but did say it has affected a subset of customers. This could presumably be anyone that was using the service back in 2005. Furthermore, whilst there was no evidence of malicious access, it is not clear as to who would have had access to these passwords in the first place.

G Suite is the company’s corporate version of Gmail and many other of its services, and it is believed that the error came about within this service because of a feature that was designed specifically for use by businesses.

Earlier in G Suite’s existence, users were able to manually set user passwords for their businesses in situations such as in readiness for a new employee starting, and once the password was set, the admin console would then store that password in plain text rather than hashing it. Since the discovery, Google has now removed that ability from administrators.

In the blog post, Google goes to great length to explain the ins and outs of cryptographic hashing and how it works, possibly in an effort to reassure users that the nuances around this bug have been cleared.

Although passwords were stored in plain text format, they were stored inside Google’s own servers, meaning that it would be harder to get to them than if they were stored on the open internet. While Google didn’t explicitly say this, it seems that the company wants to make sure this incident is not lumped into the same pile as other password bugs that were leaked after being stored online.

Google has issued an apology for this error, stating that it did not live up to its own standards, reiterating that it takes the security of its customers extremely seriously.

Operations Manager at Engage Web
Drawing from a broad pool of experience that ranges from university studies in English Language to his work as a medical receptionist in a busy GP practice, Alan fits right at home as Engage Web’s Operations Manager.
Alan Littler
Call Now Button

Who Engage Web has helped:

Ice Lolly Minuteman Press BUNZLGS1 UK The Underfloor Heating Store West Cheshire Athletic Club Thomas Cook MWB Business ExchangeWeb Media 360 D2 Architects Beacon Financial Training Steely ProductsBurlydam Garden Centre Asentiv BodyHQ Clever Vine Endeavour Mortgages Pro Networks Comm-Tech Wickers World Ascot Mortgages Top Teks
TEL: 0345 621 4321