SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Google 'will do better' after G Suite passwords exposed since 2005
Thu, 23rd May 2019
FYI, this story is more than a year old

Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption. Most people would expect that global tech companies with billions of dollars on hand would know better.

But this week Google was once again left red faced, after the company admitted that its G Suite software had left enterprises users' passwords completely exposed since at least 2005.

The problem lay in a tool that allows domain administrators to set and recover passwords manually for users. This meant that new employees could receive account information on their first day of work, and for account recovery.

However, Google made a mistake when it deployed that functionality in 2005. It turns out the admin console stored a copy of the plain-text password, completely unhashed and unencrypted.

“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” Google's Cloud Trust VP of engineering Suzanne Frey explains in a blog.

That mistake is counter to Google's standard password policies. Its sign-in system is designed not to uncover password. Instead it uses hash functions to encrypt and scramble passwords. Plain-text passwords transform letters and numbers into sequences that look something like “72i32hedgqw23328”.

Those hash functions are almost impossible to unscramble. When a user forgets their password, Google says it can't unscramble that password – it can only set a temporary password and require the user to choose a new one.

“In addition, as we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident.”, Google continues.

Google says it has notified G Suite administrators and asked them to change all passwords affected by the errors.

“Out of an abundance of caution, we will reset accounts that have not done so themselves. Our authentication systems operate with many layers of defense beyond the password, and we deploy numerous automatic systems that block malicious sign-in attempts even when the attacker knows the password.”

“In addition, we provide G Suite administrators with numerous 2-step verification (2SV) options, including Security Keys, which Google relies upon for its own employee accounts.

Google says it says apologises to its users and takes enterprise customers' security ‘extremely seriously'. It also says it prides itself on shaping best practices for account security.

The company adds that it will do better.