Google admits storing passwords in plain text for over 10 years

Posted on May 23, 2019

 

Search giant Google has recently disclosed that it has discovered an issue whereby a number of G Suite users have had their passwords being stored in plain text format.

According to the company, which announced the discovery in a blog post earlier this week, the problem has been around for over a decade, since 2005. However, Google does not believe that any of the passwords were inappropriately accessed after finding no evidence for this to be the case. As a result of the discovery, the company will be resetting any of the passwords that may have been compromised as well as informing G Suite administrators about the issue.

Google did not state how many passwords were being stored this way, but did say it has affected a subset of customers. This could presumably be anyone that was using the service back in 2005. Furthermore, whilst there was no evidence of malicious access, it is not clear as to who would have had access to these passwords in the first place.

G Suite is the company’s corporate version of Gmail and many other of its services, and it is believed that the error came about within this service because of a feature that was designed specifically for use by businesses.

Earlier in G Suite’s existence, users were able to manually set user passwords for their businesses in situations such as in readiness for a new employee starting, and once the password was set, the admin console would then store that password in plain text rather than hashing it. Since the discovery, Google has now removed that ability from administrators.

In the blog post, Google goes to great length to explain the ins and outs of cryptographic hashing and how it works, possibly in an effort to reassure users that the nuances around this bug have been cleared.

Although passwords were stored in plain text format, they were stored inside Google’s own servers, meaning that it would be harder to get to them than if they were stored on the open internet. While Google didn’t explicitly say this, it seems that the company wants to make sure this incident is not lumped into the same pile as other password bugs that were leaked after being stored online.

Google has issued an apology for this error, stating that it did not live up to its own standards, reiterating that it takes the security of its customers extremely seriously.

Alan Littler

Account Executive at Engage Web
Drawing from a broad pool of experience that ranges from university studies in English Language to his work as a medical receptionist in a busy GP practice, Alan fits right at home as Engage Web’s Account Executive.

Like us on Facebook to see more posts like this

You might also be interested in:

No Comments »

There are no comments on this yet, be the first to write a comment.

RSS feed for comments on this post. TrackBack URL

Have your say!

Call Now Button

We have worked with:

minute-man-press-image
TEL: 0345 621 4321