Google Admits Some G Suite Passwords Have Been Stored In Plaintext Since 2005

Google has announced that it has begun to notify administrators about how some passwords were inappropriately stored on its servers. Google says that its policy is to store user passwords with cryptographic hashes that mask passwords to ensure their security. However, Google recently notified a subset of its enterprise G Suite customers that some of the passwords had been stored in encrypted internal systems without hashes.


Google notes that the issue affects business users only and that no free consumer accounts were affected. Google says that it is working with enterprise administrators of organizations that were affected to ensure that users reset their passwords. The search giant has conducted a "thorough investigation" and found no evidence that the unhashed passwords were ever misused.

Google talks a bit about how it normally stores passwords saying that instead of remembering the exact characters of the password; it scrambles the password using a hash function to make it different than what the real password is. The hashed password is stored with the username in its systems. Google says that it's simple to hash passwords but nearly impossible to unhash them and steal the password.

Google previously provided domain administrators with a tool to set and recover passwords after the feature was commonly requested. It notes that the functionality to recover passwords no longer exists. Google made an error when the functionality was implemented in 2005, and the admin console was storing an unhashed password. While the practice didn't live up to Google standards, the passwords remained in the secure encrypted infrastructure. The issue has now been fixed.

Google also admits that in January of 2019, it inadvertently stored a subset of unhashed passwords in its secure encrypted infrastructure for a maximum of 14 days. That issue has also been fixed, and Google notes that security audits will continue to ensure that the problem was an isolated incident. Google has notified G Suite Admins to change impacted passwords, but it has also reset accounts that have not done so themselves. Google also apologized to users and promised to do better.