Google enterprise G-Suite left some of its business customers’ passwords exposed for 14 years. Enterprise customers’ passwords were mistakenly stored on Google’s system in plaintext. Google hasn’t said how many customers were affected.
There were two problems: The first involved a feature flaw introduced back in 2005, and the second was an issue that surfaced in January 2019. In both cases, it looks like Google just recently discovered and corrected these issues.
The First Issue
The first problem arose when they made an error with enterprise passwords back in 2005. They inadvertently stored the passwords without scrambling them, making them accessible to hackers.
They’ve since fixed this issue, and Google reports that they’ve “seen no evidence of improper access to or misuse of the affected passwords.”
Google says the passwords were still stored on its “secure encrypted infrastructure,” so the likelihood of an outside attack was low.
The Second Issue
Google also discovered in January 2019 that unhashed passwords were being stored for up to 2 weeks. They have fixed this problem as well.
They reported that they didn’t find any signs of “improper access to or misuse of the affected password.”
These issues only affected G-Suite business users. Google has notified G Suite administrators to change the impacted passwords.
How Did This Happen?
Google’s standard policy is to store your passwords with cryptographic hashes that mask passwords to ensure their security.
Hashable type never changes during its lifetime. If someone obtains the scrambled (unhashable) password, they won’t be able to recover your real password.
In 2005, G Suite domain administrators were allowed to access unhashed passwords. Unhashable type means that the contents can be changed. Administrators needed this access to recover passwords. However, this also left these passwords exposed.
What Did Google Say About This?
They reported that they…
“inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident.”
What Should You Do?
If you are using Google’s enterprise G Suite, Google advises that you change your password. If you don’t, Google will reset it automatically.
Security keys make 2FA easier to use. Instead of retyping a code, you tap the button on your key. Unlike other 2FA methods, security keys don’t require your phone number. Security keys are recommended for stronger protection against phishing.
Use Strong Passwords & Password Managers
This is just one more example supporting the need to use strong passwords and password managers.
Use Complex Passwords.
Passwords remain a go-to tool for protecting your data, applications, and computers.
Make sure you use complex passwords with capitalization, symbols and numbers.
This is essential because cybercriminals use software to brute force passwords so they can steal your data. And, many accounts don’t have a lock-out threshold. So criminals can use this software all day to discover your passwords.
Easy to remember passwords might allow you to access your accounts quickly, but they can do the same for hackers. The more characters you use, the better.
One thing you can do if you can’t remember passwords is to use a passphrase instead of a password. For example, w1Nt3r iZ com;nG? instead of “winter is coming.”
Here are some tips when it comes to creating strong passwords:
1. Use at least 8 characters that include:
- Upper and Lower Case letters
- Numbers and Letters
- Special Characters such as #!&
2. Use a unique password for each website or cloud application.
3. Change passwords every 90 days.
4. Never share passwords.
Use a Password Management Solution.
A password manager generates, keeps track of, and retrieves complex and long passwords for you to protect your vital online information. It also remembers your PINS, credit card numbers and three-digit CVV codes if you choose this option.
Plus, it provides answers to security questions for you. All of this is done with strong encryption that makes it difficult for hackers to decipher.
Password managers like LastPass and Dashlane, automatically store your login credentials for the various sites you visit. Passwords are encrypted in a database using a master password, so all that you need to remember is your master password.
When creating a new password manager account, the first thing to do is to choose a master password. This controls access to your password management database. Make sure it’s a strong password that you can remember because it’s the only one you’ll be using. You can change it later if you need to.
Your master password can be connected to the active directory, which means you can use this one password to login to computers, send emails, and wherever you need to use a password.
And when your passwords need updating, you only have to change the master password.
To use the password management software, you simply input your master password for the password management software. The program automatically fills in the appropriate login data for you. You can also configure it to store your email address, username and other data.
Google tells us:
“We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security. Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better.”
Your company’s password security is ultimately your responsibility. Ensure your employees use best practices when it comes to password security.
Stay up-to-date on the latest IT news and alerts by visiting our Tech Journal.