Google exposes G Suite issue that stored plain-text passwords on its servers for 14 years Credit: GoogleSupplied Art
Business Management

Google exposes G Suite issue that stored plain-text passwords on its servers for 14 years

Google has begun forcing “a subset of our enterprise G Suite customers” to change their passwords after an issue that inadvertently left passwords exposed for more than a decade.

In a post to its Google Cloud blog Tuesday, the company outlined an error made back in 2005 that stored a copy of actual user passwords rather than the usual scrambled “hashed” version, thus making it possible for an outside attack to gain access to usable passwords. Google explains that the issue has been fixed and the company has “seen no evidence of improper access to or misuse of the affected passwords.”

Google says the passwords were still stored on its “secure encrypted infrastructure,” so the likelihood of an outside attack was low.

Google blames a legacy feature set for the issue. Back in 2005, G Suite domain administrators were given the ability to set and recover passwords on the client side for their own users, so they needed access to unhashed passwords. Google has since jettisoned this functionality and requires all G Suite passwords to be reset rather than recovered, just like Gmail.

Additionally, Google unearthed a separate issue that started in January that also led to unhashed passwords being stored for up to 14 days. Like the other issue, Google has fixed the problem and hasn’t found any evidence of “improper access to or misuse of the affected password.” 

As a result, Google is informing all affected clients to change impacted passwords and will reset any that aren’t manually changed. Google apologized for the issue and promised it “will do better” in the future.

While this particular issue doesn’t affect Gmail users (outside of G Suite subscribers), it drives home the need to use strong, unique passwords for every critical site and service you use. If you aren’t using a password manager yet, you should be. Our roundup of the best password managers can get you on the right track if you need help selecting one.


« What the Huawei-Google spat means for you


Phyn Plus smart water valve review: Sophisticated leak detection and water use analysis—for a price »
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Amazon Cloud looms over China: Bezos enters Alibaba home ground

Lewis Page gets down to business across global tech


Do you think your smartphone is making you a workaholic?