Google Stored Passwords in Text

Google just announced it had stored G-Suite Enterprise users’ passwords in plain text since 2005. In a Google Cloud blog post, Google has notified the G-Suite administrators to change the impacted passwords. The company has reset the accounts of the affected users but yet they have not specified how many users were affected. Read below as it describes how it happened and what we recommend to secure your G-Suite Enterprise accounts.

Google G-Suite Enterprise Users’ Passwords in Plain Text Since 2005

What Happened?

This is going to get a little technical about describing how Google G-Suite stores its passwords but we will give it a try. First, Google stores its passwords on a secure encrypted infrastructure as a scrambled hashed version. Keep in mind that storing passwords this way prevents access to useable passwords in the event anyone got access to them. Second, Google administrators have a tool to upload user passwords or they can manually set the passwords for their company’s users. This tool is meant to help onboard new users and allow users to sign in with the provided temporary password.

The G-Suite admin onboarding a new user has an option to turn on, “change user password on next sign on.” From the time the temporary password is assigned to a new or active g-suite user that “temp password” was stored in plain text on Google’s servers. Only Google employees had access to view these temporary passwords stored in plain text according to their post.

Recommendations:

We recommend you enable “sign-in & recovery” to a phone number and recovery email. Also, consider setting up step up 2-step verification to sign in. This is the latest security issue from yet another big tech company. So as always, we remind you to change your passwords and follow other digital security practices continually.