Google Has Been Storing Unhashed G-Suite Passwords for 14 Years

By Richard Anderson

Google has recently announced it has discovered an error was made in its enterprise password recovery feature that has resulted in G Suite passwords being stored on internal servers in plaintext for 14 years.

The passwords could not be accessed remotely by anyone outside of Google, but the error does pose a security risk.  Any Google employee with access to its servers could have viewed those passwords.

The problem does not affect users with free consumer Google accounts, only a subset of its business and enterprise customers

Usually, Google uses cryptographic hashes for stored passwords. Passwords are hashed in a one-way process that prevents them from being viewed by Google. The hash function scrambles the password which is paired with the username and encrypted when stored. When the user supplies their password, the hashes are compared and if both match, access to the account is granted. Since Google does not have access to the password and can’t ‘unhash’ it, the only way to regain access to the account is by Google issuing a temporary password which can be used by G Suite users to reset the password on their account.

However, in 2005, and error was made implementing new functionality to help domain administrators set and recover passwords for their users. The new function allowed administrators to upload and manually set passwords for their users to help them get accounts ready for new members of staff and to easily recover passwords. That error resulted in passwords being stored without first being hashed.

Google has now corrected the flaw and its investigation has not uncovered any evidence to suggest that any passwords have been improperly accessed or misused by its employees. During the investigation, another error was also discovered. In January 2019, an error allowed a subset of unhashed passwords to be stored in its secure encrypted infrastructure for a period of 14 days. Again, no evidence of improper access or misuse was discovered.

All G Suite administrators who are affected have been notified and any that have not updated their passwords by May 29, 2019 will have their passwords automatically reset.

Google has not publicly announced how many users have been affected, only saying that a ‘subset’ of users has been impacted. Currently there are more than 5 million G Suite Enterprise customers so the error could potentially impact millions of corporate users.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news