Google discovers that some user passwords have been stored for 14 years without encryption


by 422737

It has been reported that it has become clear that Google has kept some of its user passwords in unencrypted plain text for 14 years in their own blog. Note that this issue has been happening since 2005, and it is not affected by free Google account users but by user accounts using G Suite .

Notifying Administrators About Unhashed Password Storage | Google Cloud Blog
https://cloud.google.com/blog/products/g-suite/notifying-administrators-about-unhashed-password-storage


Google stored some passwords in plain text for fourteen years-The Verge
https://www.theverge.com/2019/5/21/18634842/google-passwords-plain-text-g-suite-fourteen-years

Google's policy is to use a cryptographic hash function to conceal user passwords and ensure secure security. However, it was discovered that some of the user passwords managed by Google were stored on the system without being encrypted. The problems were discovered related to the G Suite service provided by Google, and it affects only business users who use the service. It has no impact on Google account users who can use it for free. Google is committed to working with company administrators to reset passwords for potentially affected users. At the time of writing, Google said, 'We have conducted a thorough investigation, and there is no evidence that the affected G Suite's authentication information has been inappropriately accessed or misused.' is.

Since G Suite is a service that can use other applications for Gmail and Google for companies, The Verge of foreign media notes that 'It seems that a bug has occurred due to a function designed for companies.' The bug seems to have been in the G Suite service's 'The ability for domain administrators to upload user passwords and set them manually when creating a new account.' This function is intended to make it easy for new users to use G Suite, and was used, for example, to prepare an account for new employees in advance. However, for some reason this feature has found a bug in which the password is stored in plain text without being encrypted on the management console. Note that Google has already removed this feature.

by JanBaby

Due to a bug, some user passwords were stored as plain text at least within Google servers, but since they were stored 'on Google servers', they can be accessed on another server or anyone It is clear that access was more difficult than if it had been stored in place. The Verge states, 'Although Google is not clearly explaining this, we do not want Google's bugs to be grouped together in the same category as in the case where passwords were leaked in other plain texts.' .

Also, while troubleshooting a new signup method for G Suite users, a subset of unencrypted passwords from around January 2019 may have been accidentally stored on a secure encryption infrastructure. Google reports it has found it. This issue has also been fixed, and improper access and misuse of the affected password has not been confirmed.

'We take enterprise security security very seriously, and we take pride in advancing industry best practices for account security. We meet our own standards and our standards.' I apologize to the user for what I did not do. '

in Web Service,   Security, Posted by logu_ii