G Suite'n'sour: Google resets passwords after storing some unhashed creds for months, years

www.theregister.co.uk | 5/21/2019 | Staff
hey13 (Posted by) Level 4
Click For Photo: https://regmedia.co.uk/2018/11/09/shutterstock_question_mark_man_shrug.jpg







Google admitted Tuesday its paid-for G Suite of cloudy apps aimed at businesses stored some user passwords in plaintext albeit in an encrypted form.

Administrators of accounts affected by the security blunder were warned via email that, in certain circumstances, passwords had not been hashed, which is a standard industry practice for protecting credentials by scrambling them using a one-way encryption algorithm. Google was at pains to stress the passwords were encrypted at rest on disk, however, hashing them would have fully secured the sensitive info.

Threat - Part - Security - Cockups - Play

Before we get to the threat model part of this, there are essentially two security cockups at play here. The first involves a G Suite feature available from 2005 that allowed organizations' admins to set their G Suite users' passwords via the Google account admin console. That feature, designed for IT staff to help new colleagues set their passwords and log in, did not hash these passwords.

The second involves recording some user passwords in plaintext on disk, as they logged in, and keeping these unhashed credentials around for 14 days at a time, again encrypted at rest. This practice started in January this year, during attempts by Googlers to troubleshoot their login system, and has been stopped.

Issue - Suzanne - Frey - Google - Veep

On the first issue, Suzanne Frey, Google veep of engineering and cloud trust, explained:

In our enterprise product, G Suite, we had previously provided domain administrators with tools to set and recover passwords because that was a common feature request. The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company’s users. The intent was to help them with onboarding new users; e.g., a new employee could receive their account information on their first day of work, and for account recovery. The functionality to recover passwords this way no longer exists.

We made an...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Economic projections are useless with out the exact timer they will occur
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!