itb-au logo
Story image

Google 'will do better' after G Suite passwords exposed since 2005

23 May 2019

Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption. Most people would expect that global tech companies with billions of dollars on hand would know better.

But this week Google was once again left red faced, after the company admitted that its G Suite software had left enterprises users’ passwords completely exposed since at least 2005.

The problem lay in a tool that allows domain administrators to set and recover passwords manually for users. This meant that new employees could receive account information on their first day of work, and for account recovery.

However, Google made a mistake when it deployed that functionality in 2005. It turns out the admin console stored a copy of the plain-text password, completely unhashed and unencrypted.

“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” Google's Cloud Trust VP of engineering Suzanne Frey explains in a blog.

That mistake is counter to Google’s standard password policies. Its sign-in system is designed not to uncover password. Instead it uses hash functions to encrypt and scramble passwords. Plain-text passwords transform letters and numbers into sequences that look something like “72i32hedgqw23328”.

Those hash functions are almost impossible to unscramble. When a user forgets their password, Google says it can’t unscramble that password – it can only set a temporary password and require the user to choose a new one.

“In addition, as we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident.”, Google continues.

Google says it has notified G Suite administrators and asked them to change all passwords affected by the errors.

“Out of an abundance of caution, we will reset accounts that have not done so themselves. Our authentication systems operate with many layers of defense beyond the password, and we deploy numerous automatic systems that block malicious sign-in attempts even when the attacker knows the password.” 

“In addition, we provide G Suite administrators with numerous 2-step verification (2SV) options, including Security Keys, which Google relies upon for its own employee accounts.”

Google says it says apologises to its users and takes enterprise customers’ security ‘extremely seriously’. It also says it prides itself on shaping best practices for account security.

The company adds that it will do better.

Link image
COVID-19: The tools ensuring security for remote working
Cyber threats are multiplying during the pandemic, and remote workers are at a heightened risk of cyber attack. Here are the security solutions to defend against the wave of virus-related threats.More
Story image
HPE looks to advance 5G developments with vendor neutral offering
Hewlett Packard Enterprise (HPE) has added the Open Distributed Infrastructure Management (ODIM) initiative to its open 5G portfolio.More
Link image
AvePoint Free Webinar: Maximise productivity using Microsoft Teams Template
As more workers turn to Microsoft Teams for remote productivity, learn how to leverage the Teams Template functionality when creating new Teams and how to provide unique provisioning, sharing and other settings for different departments.More
Story image
Mentorship key to bringing women into cybersecurity - Microsoft
“Diverse teams make better and faster decisions 87% of the time compared with all male teams, yet the actual number of women in our field fluctuates between 10 and 20%. What ideas have we missed by not including more women?”More
Story image
BlackLine offers free finance and accounting services to help business get through COVID-19
BlackLine has made a number of its services complimentary as it looks at ways it can help accounting teams operate during the COVID-10 pandemic. More
Story image
Avoid employee underpayment woes with better planning and forecasting
Accurately paying people for the hours they work is only part of the issue. You also need to be able to plan for the future. More