G Suite passwords stored in plain text for 14 years


Bobby Hellard

22 May, 2019

Google has revealed that some G Suite passwords have been stored in plaintext, meaning without encryption, for 14-years.

The tech giant said it had recently discovered a bug that’s been around since 2005 and has begun resetting any passwords that might be affected, as well as alerting G Suite administrators about the issue.

“We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Suzanne Frey, VP of Google’s engineering and cloud trust division.

“This is a G Suite issue that affects business users only–no free consumer Google accounts were affected–and we are working with enterprise administrators to ensure that their users reset their passwords.”

Frey added that Google has been conducting a thorough investigation and, so far, hasn’t seen any evidence of improper access or misuse of these affected G Suite credentials.

The blog post goes into great detail about Google’s policy on storing passwords with cryptographic hashes that mask them. Cryptography is a one-way system, as in only seen at Google’s end, where it scrambles user passwords with a hash function – so it becomes something like “72i32hedgqw23328”. This is then stored with the relevant user name, encrypted and saved to disk. The next time the user signs in, the password is scrambled in the same way to see if it matches what Google has stored.

But this wasn’t the case back in 2005 for one particular feature. In the enterprise version of G Suite, Google allowed domain administrators with tools to set and recover passwords; supposedly because this was highly requested. This tool was located in the admin console and let administrators upload or manually set user passwords.

The idea was to help administrators load on new users but the function would inadvertently store a copy of the unhashed password in the admin console. Google stressed that these passwords remained in its secure encrypted infrastructure and that the issue had been fixed, but 2005 was a long time ago.

While that’s bad enough, further password encryption flaws were found by the company as it was troubleshooting new G Suite customer sign-up flows. It discovered that from in January 2019 it had inadvertently stored a subset of unhashed passwords in its secure encrypted infrastructure. These passwords were only stored for a maximum of 14 days and once again, Google said the issue has been fixed.

This is one of a number of incidents reported by tech companies in recent times, where password encryption has been hampered by a bug or fault. Last year, Twitter warned its users to update their passwords after the company identified a flaw in its systems that could have allowed staff at the company to view them in plaintext form. Twitter sent an email to users explaining that the bug had been fixed and the resulting internal investigation “showed no indication of a breach of misuse by anyone”.

In Google’s defence, despite how long the bug has been in G Suite, its notification has not tried to mask anything. Unlike Facebook, which earlier this year notified users that “some” passwords had been stored in plaintext, only explaining much further down its blog post that actually hundreds of millions of passwords for Facebook, Instagram and Facebook Lite were stored without encryption.