security Not so Home Suite Home - Google discloses some G Suite account passwords were stored in plain text since 2005

[rcmaehl]

Source:
Tech Crunch

 

Summary:
Google states that a feature introduced in 2005 for G Suite employee on-boarding was found to store customer passwords in plain text.

Quotes/Excerpts:

Quote

Google says a small number of its enterprise customers mistakenly had their passwords stored...in plaintext. The search giant disclosed...Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” Passwords are typically scrambled using a hashing algorithm. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. Google said it discovered in April that the way it implemented...its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext. Google has since removed the feature. No consumer Gmail accounts were affected by the security lapse. “To be clear, these passwords remained in our secure encrypted infrastructure,” “This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.” Google has more than 5 million enterprise customers using G Suite. Google said it also discovered a second security lapse earlier this month...since January it was improperly storing “a subset” of unhashed G Suite passwords on its internal systems for up to two weeks. “This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords,” Google said it’s notified G Suite administrators to warn of the password security lapse, and will reset account passwords for those who have yet to change. A spokesperson confirmed Google has informed data protection regulators of the exposure. Google becomes the latest company to have admitted storing sensitive data in plaintext in the past year. 

 

My Thoughts:

Can we PLEASE, for the love of all that is good, STOP STORING PASSWORDS IN PLAIN TEXT FOR ANY REASON. Between all the major companies doing proper disclosure of the issue, there's dozens if not hundreds of smaller companies not disclosing they were doing the exact same thing. Perhaps it's time to have a non-medical HIPAA-esque law for data security, I'm sure some nice PERCENTAGE of revenue based fines would kick some companies into doing proper audits.
 

[Radium_Angel]

8 minutes ago, rcmaehl said:

STOP STORING PASSWORDS IN PLAIN TEXT FOR ANY REASON

+1

 

but even better, stop using "Teh Cloud!" applications for everything, forcing us to be beholden to these companies, and thus hoping they programmed security properly...

 

[Arika]

[HarryNyquist]

35 minutes ago, rcmaehl said:

Perhaps it's time to have a non-medical HIPAA-esque law for data security, I'm sure some nice PERCENTAGE of revenue based fines would kick some companies into doing proper audits.

I hate to tell you, but not even HIPAA, its audits, or threats thereof, prevent security issues. Until management-types listen to their engineers who insist on developing proper security models, instead of demanding a crap security model due to an arbitrary deadline, it'll keep happening across every industry.