You are here

You are here

Google admits to storing plaintext passwords

Richi Jennings Industry analyst and editor, RJAssociates

G Suite, Google’s enterprise productivity SaaS, has been storing some users’ passwords in the clear. Perhaps for as long as 14 years. Holy guacamole.

“We made an error,” ’fesses big G. No kidding?

“This issue has been fixed,” promises la GOOG. Well, that’s all right then. In this week’s Security Blogwatch, we say hello and wave goodbye.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: indescribable anarchy.

Gee, sour

What’s the craic? Cat Ferguson scratches Google kept some users’ passwords in plain text:

Administrators of some of Google’s five million business accounts got an unwelcome surprise when the company recently notified them it had stored some user passwords in plain text since 2005. … When it first built its … business product, G Suite, 14 years ago, the tool that allowed managers to manually set passwords for employees failed to [hash] new passwords.

It’s been a rough week for Google’s security team. On Monday, a large number of users … mistakenly received a notification that a new device had signed into their account, scaring a lot of people into thinking their accounts were being hacked. It’s unclear whether the two issues are related.

WTactualF? Iain Thomson explains—Google resets passwords after storing some unhashed creds for months, years:

Hashing is a standard industry practice that protects credentials by scrambling them using a one-way encryption algorithm. [But] if a hacker gets into Google's infrastructure, passwords hashed or not hashed, it's potentially game over anyway.

In other words, it's sloppy, dangerous, and embarrassing, though keep it all in perspective. … Hashing would protect the account passwords from snooping, sure, but, er, there would be rather bigger problems to solve.

There are essentially two security cockups at play. … The first … a G Suite feature available from 2005 that allowed organizations' admins to set their G Suite users' passwords … did not hash these passwords. … The second involves recording some user passwords in plaintext on disk, as they logged in, and keeping these unhashed credentials around for 14 days … during attempts by Googlers to troubleshoot their login system.

How will they explain this away? Google veep Suzanne Frey has been Notifying administrators:

Google’s policy is to store your passwords with cryptographic hashes. … We are working with enterprise administrators to ensure that their users reset their passwords. [We] have seen no evidence of improper access to or misuse of the affected G Suite credentials.

We made an error … back in 2005: The admin console stored … the unhashed password.

In addition … starting in January 2019 we … inadvertently stored a subset of unhashed passwords.

The effectiveness of the hash function lies in its one-way nature: it is simple to scramble your password, but nearly impossible to unscramble it. So, if someone should obtain the scrambled password, they won’t be able to recover your real password.

To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed.

We recently notified G Suite administrators to change those impacted passwords. … We will reset accounts that have not done so themselves.

We did not live up to our own standards. … We apologize to our users and will do better.

Flame on! This Anonymous Coward waxes excoriating:

This is a multi-billion dollar company failing at basic security and not finding it for 15 years. … ****ing incompetence and stupidity.

I talked to Google about [G Suite] back in 07 or 08 and their response was something along the lines of it is secure because the data is randomly distributed across a bunch of computers in a bunch of data centers so there was nothing to worry about. Which was a pathetic response to a fortune 25 security team. We did nothing with them and now my veto is validated.

I'm just not prepared to give Google a pass on this one, it's way too big of a **** up to be waved away as a mistake. … It's a fundamentally stupid product decision.

Passwords should never be retrievable. Reset? Yes. Retrieve? No.

And Jacques Mattheij agrees (albeit less swearily):

So far the G-Suite experience has been underwhelming to say the least. **** interface and less fine grained control over document access than even Google drive offers for free.

And now this. As much as there is to like about this [disclosure] in terms of transparency it is also very interesting for what it does not say:

"Legacy functionality that enabled customer Domain Admins to view password." That functionality should have never existed to begin with.

"Primarily impacted system generated or admin generated passwords intended for one-time use." Note the weasel word 'primarily.' Either it did or it did not potentially affect all passwords.

"An internal system that logged account signup information for diagnostic purposes, also inadvertently logged the administrator’s account password … unhashed." … Suggests some pretty major process failures: This change was apparently found after it had already been pushed to production without review, or with a review that did not catch this pretty basic mistake.

But Thomas Ptacek pours oil on troubled waters:

The ordinary response to notifications like these is, to put it bluntly … a rage-mob. But here you have a corrective, a case where that doesn't make sense.

Google operates … one of the 3 best security teams in the industry, likely exceeding … the elite of some major world governments. And they can't reliably promise, at least not in 2019, never to accidentally durably log passwords.

If they can't, who else can?

It's useful to have a reminder that accidentally retaining plaintext passwords is a hazard of building customer identity features. But … it's at least equally useful to get the level set on what engineering at scale can reasonably promise today.

In other news, Sead Fadilpašić looks at Google Glass 2 enterprise version:

Google Glass, the company's augmented reality solution which first debuted in 2013, has now gotten a faster and cheaper successor for businesses. [It] is an improvement on all fronts: it will come with a powerful Snapdragon XR1 chip, which the company claims will do … AI and computer vision, all while consuming less energy.

An 820 mAh battery … is expected to last up to eight hours. … This time around the device will [capture] 720p video, [has a] USB-C port for faster recharging, as well as … Wi-Fi 5 and Bluetooth 5.

As for the price, Google managed to reduce it by a third. … Google Glass Enterprise Edition 2 will set you back $999.

Enterprise glassholes? Mike Elgan reckons it Looks Awesome:

Google Glass Enterprise Edition 2 looks like a more refined and powerful version of the original. It's got an 8 megapixel camera instead of 5; higher resolution display; and it appears to be more ruggedized.

Of course, it's for enterprise customers, so I don't think I can buy one.

Meanwhile, David Ruddock—@RDRv3—explains why Google persists with the Glass project:

Google keeps Glass alive – I believe – because there is a very strong belief among Certain People (COUGH Sergey Brin COUGH) that this bet will eventually pay dividends when AR products go mainstream.

The moral of the story?

Get serious about security-focused code reviews. And mandate 2FA. (And don’t be a glasshole.)

And finally

Dream Themes play The Simpsons dressed as The Beatles

(Possible F-bomb at the start. Don’t miss the ending.)

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Travis Wise (cc:by)

Keep learning