Google Has Stored Some Passwords in Plaintext Since 2005

It happened again: Google announced today that it's the latest tech giant to have accidentally stored user passwords unprotected in plaintext. G Suite users, pay attention.

Google says that the bug affected "a small percentage of G Suite users," meaning it does not impact individual consumer accounts, but does affect some business and corporate accounts, which have their own risks and sensitivities. The company typically stores passwords on its servers in a cryptographically scrambled state known as a hash. But a bug in G Suite's password recovery feature for administrators caused unprotected passwords to be stored in the infrastructure of a control panel, called the admin console. Google has disabled the features that contained the bug.

Before it did so, the passwords would have been accessible to authorized Google personnel or malicious interlopers. Each organization's administrator could have also accessed the plaintext passwords for the account holders within their group.

*****************************************************

Recommended For You

Launch Creator

Launch Creator

ScriptReel - Personal

ScriptReel is a cloud based video caption creation and audio translation app that uses Vega6's advanced Artificial Intelligence technology to automate caption creation and translation.

*****************************************************

Twitter and Facebook have dealt with plaintext password bugs of their own in the past 18 months. But where those two companies both concluded that it was unnecessary to auto-reset user passwords, Google is taking the step "out of an abundance of caution." At the time, Twitter would not comment on how long it had been storing users' passwords in plaintext. Facebook's bug dated back to 2012.

Google's bug, meanwhile, has existed since 2005—a year before "Google For Work" even became an official offering. And while the company emphasizes that it has no evidence that the plaintext passwords were ever accessed or abused, 14 years is a long time for sensitive data to hang around unnoticed.

"Our authentication systems operate with many layers of defense beyond the password, and we deploy numerous automatic systems that block malicious sign-in attempts even when the attacker knows the password," Google vice president of engineering Suzanne Frey wrote in a blog post. "In addition, we provide G Suite administrators with numerous two-step verification (2SV) options. … We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards."

Google is in the process of notifying G Suite administrators, and says that it will also automatically reset any impacted passwords that haven't already been changed. The company discovered the bug in April, and an additional plaintext password bug in May during the course of its investigation. The latter accidentally stored plaintext passwords for new G Suite customers as they completed their sign-up. That bug only went into effect in January 2019, and those unhashed passwords were only stored for a maximum of 14 days. Google says that it has fixed both the main admin console plaintext bug and the more recent sign-up flow issue.

"Google typically has a decent track record of catching bugs fast and remediating them, so the fact that this was around since 2005 and wasn’t caught is disconcerting," says David Kennedy, CEO of the enterprise penetration testing firm TrustedSec. "We have seen this with Twitter, Facebook, and multiple other organizations where legacy processes or applications cause clear text passwords to be exposed internally. And even if it's only internal it still creates a substantial privacy and security concern."

Since all impacted passwords that haven't already been changed will be auto-reset by Google, you should focus on adding two-factor authentication to your G Suite account if you don't already have it—and maybe cross your fingers that these passwords went unnoticed for 14 years.


Original Article : HERE ; This post was curated & posted using : RealSpecific

This post was curated & Posted using : RealSpecific

Thank you for taking the time to read our article.
**********************************************************

Interested in building a blog or auto-blog like this one ? Or just want to order one ?  Join our "Blogging Tips Tricks and Resources Skype" Group and let's chat about it. 

Join "Blogging Tips Tricks and Resources Skype" HERE

Interested in Starting your own Roku TV Channel ? Or interested in learning how to build one ? Join our "Roku TV Channel Development" Skype Group and let's chat about it. 

Join "Roku TV Channel Development" HERE

**********************************************************

If you enjoyed our content, we'd really appreciate some "love" with a share or two.

And ... Don't forget to have fun!

 
 

Recommended

LeadFunnelCloud Pro

Get this Cloud Based App That Creates INSTANT Done-For-You UNLIMITED Profitable Lead Funnels To Build A HUGE List,Drive Targeted Social Traffic and Affiliate Commissions In Just 60 Seconds

DocStudioFX Elite

Create, Edit, Rebrand And Share STUNNING eBooks, Magazines, White Papers And Reports With Our Secret Built-In Monetization Technology

Video App Suite Deluxe Templates

Unlock 20 additional premium video templates immediately and 5 templates each month for the next 1 YEAR. Get everything for a ONE-TIME payment, no monthly or yearly fees attached!

Leave a Reply