itb-nz logo
Story image

Google 'will do better' after G Suite passwords exposed since 2005

23 May 2019

Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption. Most people would expect that global tech companies with billions of dollars on hand would know better.

But this week Google was once again left red faced, after the company admitted that its G Suite software had left enterprises users’ passwords completely exposed since at least 2005.

The problem lay in a tool that allows domain administrators to set and recover passwords manually for users. This meant that new employees could receive account information on their first day of work, and for account recovery.

However, Google made a mistake when it deployed that functionality in 2005. It turns out the admin console stored a copy of the plain-text password, completely unhashed and unencrypted.

“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” Google's Cloud Trust VP of engineering Suzanne Frey explains in a blog.

That mistake is counter to Google’s standard password policies. Its sign-in system is designed not to uncover password. Instead it uses hash functions to encrypt and scramble passwords. Plain-text passwords transform letters and numbers into sequences that look something like “72i32hedgqw23328”.

Those hash functions are almost impossible to unscramble. When a user forgets their password, Google says it can’t unscramble that password – it can only set a temporary password and require the user to choose a new one.

“In addition, as we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident.”, Google continues.

Google says it has notified G Suite administrators and asked them to change all passwords affected by the errors.

“Out of an abundance of caution, we will reset accounts that have not done so themselves. Our authentication systems operate with many layers of defense beyond the password, and we deploy numerous automatic systems that block malicious sign-in attempts even when the attacker knows the password.” 

“In addition, we provide G Suite administrators with numerous 2-step verification (2SV) options, including Security Keys, which Google relies upon for its own employee accounts.”

Google says it says apologises to its users and takes enterprise customers’ security ‘extremely seriously’. It also says it prides itself on shaping best practices for account security.

The company adds that it will do better.

Story image
Video: 10 Minute IT Jams – Who is ThousandEyes?
ThousandEyes is a network intelligence company headquartered in the United States, and operates worldwide. Cisco recently announced plans to acquire ThousandEyes.More
Story image
Equinix brings Alibaba Cloud access to the US, APAC and EMEA
"We are glad to deepen our collaboration with Alibaba Cloud in new metros around the world. In today's digital economy, delivering cloud computing has become a top priority for enterprises."More
Story image
Wrike rolls out user experience features and brand refresh focused on digital work
To empower organisations move forward in digital transformation strategies, the Reimagined Wrike launch offers two fundamental changes: user experience and updated brand identity.More
Link image
A great ERP tool achieves a lot for your customers & financials
NetSuite’s cloud native SRP is not a project management tool that talks to your finance system. It's end-to-end project management capability for service professionals, integrated with NetSuite's full ERP solution. More
Story image
Spark boosts rural wireless broadband capacity to meet COVID-19 demand
Spark has boosted its rural wireless broadband capacity in a bid to meet demand following the COVID-19 lockdown.More
Story image
Why retailers need to accelerate ecommerce and real time data capabilities to remain relevant in the ‘new normal’
The retail companies that will be most successful are those that can most effectively harness the data generated to refine and adapt their data and analytics strategy quickly.More