Google Urges You To Change Your Password
Google is advising that some of their enterprise G Suite customers change their passwords. They discovered that they made an error 14 years ago that resulted in passwords being stored in a plain text format rather than in a scrambled format. This makes it possible for hackers to access usable passwords.
Back in 2005, Google stored actual user passwords rather than in a “hashed” format. Even though they have fixed the issue, if you have an enterprise G Suite account, Google advises that you change your password.
Google explains on their blog:
“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed, and we have seen no evidence of improper access to or misuse of the affected passwords.”
Google Said a Legacy Feature Set Caused Passwords To Be Exposed
In 2005, domain administrators were given the ability to set and recover passwords. They required access to unhashed passwords for this reason. Google has removed this functionality. Domain administrators will now need to reset passwords rather than recover them.
And Google found another problem in their system. Unhashed passwords were being stored for up to 2 weeks. Google says that like the other problem, they’ve fixed this and they haven’t seen and improper access or misuse of affected passwords.
Google also reports…
“Our authentication systems operate with many layers of defense beyond the password, and we deploy numerous automatic systems that block malicious sign-in attempts even when the attacker knows the password. In addition, we provide G Suite administrators with numerous 2-step verification (2SV) options, including Security Keys, which Google relies upon for its own employee accounts.”
Google’s password problem doesn’t affect Gmail users (outside of G Suite subscribers). However, this issue is a reminder that we should all be using strong, unique passwords, along with password best practices.
Hackers Are Hunting For Your Passwords
It’s easier for hackers to gain passwords and break into accounts than most people think. Hackers use software programs that are capable of guessing passwords. The software combines random words and phrases along with any information the hacker has about you.
Sometimes, they can guess them and use a password reset tool to create a new password without your knowledge and consent.
When you repeatedly use the same password for long periods of time, you increase the chance that a hacker will guess your password. The longer you use the same password, the longer a criminal has to discover it.
Google Advises That You Shore Up Your Password Practices
You must employ good password practices to prevent exposure. Don’t use personal information in your passwords such as dates, addresses or names. Don’t use simple words and phrases.
Use random combinations of numbers, letters and symbols that you can remember. For example, instead of “password1” (which you should never use), change up the characters like this: “p4$$w0rD1.” This will be more difficult for the hackers’ software to guess.
Use Multi-Factor Authentication
Here’s what Google advises:
“If you’ve signed into your phone or set up a recovery phone number, we can provide a similar level of protection to 2-Step Verification via device-based challenges.
We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.
On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.”
Use a Password Manager
Password managers automatically store your login credentials for the various sites you visit. Passwords are encrypted in a database using a master password, so all that your employees need to remember is their master password.
When creating a new account in a password manager, the first thing to do is to choose a master password. This controls access to your password management database. Make sure it’s a strong password that you can remember because it’s the only one you’ll be using. You can change it later if you need to.
Your master password can also be connected to the active directory, which means you can use this one password to login to computers, send emails, and wherever you need to use a password. And when your passwords need updating, you only have to change the master password.
To use the password management software, you visit a site and, instead of keying in a unique password, you input your master password for the password management software. The program automatically fills in the appropriate login data for you. You can also configure it to store your email address, username and other data.
In the end, managing a strict password policy, creating strong passwords, and using password managers can be frustrating for some, but it’s incredibly important. If you’re unsure about implementing these procedures, or which password manager is right for your organization, you can ask for help from our IT Security Specialists.