•   
  •   

Tech & Science Google stored some passwords in plain text for fourteen years

04:11  22 may  2019
04:11  22 may  2019 Source:   theverge.com

What would you name Android Q? Google says this one's 'hard'

What would you name Android Q? Google says this one's 'hard' Google's customary dessert names aren't just total fluff.

Google disclosed that it recently discovered a bug that caused some portion of G Suite users to have their passwords stored in plain text . The bug has been around since 2005, though Google says that it can’t find any evidence that anybody’s password was improperly accessed.

" Google ’s policy is to store your passwords with cryptographic hashes that mask those passwords to ensure their security. However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed," read the blog.

Google stored some passwords in plain text for fourteen years© Illustration by Alex Castro / The Verge

In a blog post today, Google disclosed that it recently discovered a bug that caused some portion of G Suite users to have their passwords stored in plain text.

The bug has been around since 2005, though Google says that it can’t find any evidence that anybody’s password was improperly accessed.

It’s resetting any passwords that might be affected and letting G Suite administrators know about the issue.

G Suite is the corporate version of Gmail and Google’s other apps, and apparently the bug came about in this product because of a feature designed specifically for companies.

Google Assistant, Android Q, Google Nest Hub Max: Google's big plans for the rest of the year

Google Assistant, Android Q, Google Nest Hub Max: Google's big plans for the rest of the year Everything Google announced at Google I/O that is here now and coming soon, from new Pixel phones to a reworked Duplex.

Google has revealed it had left some business users' passwords exposed in plain text . In a blog post on Tuesday When stored in a system, passwords are cryptographically hashed — scrambled into a random-looking assortment of numbers — which make it near-impossible to try and guess what it is.

Google has been storing G Suite passwords in plain text for 14 years . Google reports that a small number of the G Suite enterprise customers' passwords has been stored on their system in plaintext for 14 years .[ 1 ] The exposure was disclosed in the blog post, posted on May 22nd.[2]

Early on, it was possible for your company administrator for G Suite apps to set user passwords manually — say, before a new employee came on board — and if they did, the admin console would store those passwords in plain text instead of hashing them. Google has since removed that capability from administrators.

Google’s post goes to great pains to explain how cryptographic hashing works, likely in an effort to make sure the nuances surrounding this breach are clear.

Though the passwords were stored in plain text, they were at least stored in plain text inside Google’s servers, so they’d be harder to get to than if they were just out on the open internet.

Carefree Kate Middleton swings into the Chelsea Flower Show – see new photos

Carefree Kate Middleton swings into the Chelsea Flower Show – see new photos The Duchess of Cambridge was in her element as she mucked about at Chelsea Flower Show – see the fabulous new photos!

Administrators of some of Google ’s five million business accounts got an unwelcome surprise when the company recently notified them it had stored some user passwords in plain text since 2005. But Google made a mistake when it first built its email-for-business product, G Suite, 14 years ago.

Google said it had stored G Suite enterprise users' passwords in plain text since 2005 marking a giant security faux pas. “This mistake should have been recognized and prevented fourteen years earlier with proactive, ongoing security testing.” Google is only the latest conglomerate tech company

Although Google didn’t say so explicitly, it seems like it wants to also make sure people don’t lump this bug in the same category as other plain text password problems where those passwords have leaked out.

Google has already made users reset their passwordsAnd oh, there have been so many of those, as Wired notes.

Twitter advised all 330 million of its users to change passwords back in March due to a breach.

Facebook stored “hundreds of millions” of passwords in plain text in a way where up to 20,000 of its employees could have accessed them. Instagram had to fess up that Facebook’s breach had actually affected millions of Instagram users (not the previously disclosed smaller number).

For its part, Google didn’t characterize just how many users might have been affected by this bug beyond saying it affected “a subset of our enterprise G Suite customers” — presumably anybody who was using G Suite in 2005.

And though Google couldn’t find evidence that anybody used this access maliciously, it’s not entirely clear who would have had access to these plain text files either.

In any case, it’s fixed now and Google is appropriately sorry in its post about the whole issue:

We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better.

Read more

ODI World Cup: Everything you need to know.
The World Cup begins on Thursday night. Find out who is playing, who stands a chance and how to watch on GEM and 9NOW.

—   Share news in the SOC. Networks

Topical videos:

usr: 1
This is interesting!