[ad_1]
This happened again: Google announced today that it was the last technology giant to have accidentally stored passwords of unprotected users in plain text. G Suite users, be careful.
According to Google, the bug affected "a small percentage of G Suite users," which means it does not affect individual consumer accounts, but on some accounts and business, which have their own risks and sensitivities. The company usually stores passwords on its servers in an encrypted encrypted state called hash. However, a bug in the G Suite password recovery feature intended for administrators resulted in the storage of unprotected passwords in the infrastructure of a control panel, called a console. administration. Google has disabled features that contained the bug.
Previously, passwords were available to authorized Google staff or malicious intruders. The administrator of each organization would also have been able to access plain text passwords for account holders within their group.
"The fact that it has been around since 2005 and has not been caught is disconcerting."
David Kennedy, TrustedSec
Twitter and Facebook have been handling their own password problems in plain text over the last 18 months. But when the two companies concluded that it was not necessary to automatically reset the passwords of users, Google has taken the step "as a precaution". At the time, Twitter did not mean how long it had been storing users' passwords in plain text. The bug of Facebook goes back to 2012.
The Google bug has been around since 2005, a year before "Google For Work" even became an official offer. And while the company says it has no evidence that plain-text passwords have been used or misused, fourteen years is a long time for sensitive data to go unnoticed.
"Our authentication systems use many layers of defense other than the password, and we deploy many automatic systems that block malicious login attempts, even when the attacker knows the password," wrote Google's vice president of engineering, Suzanne Frey, in a blog. "In addition, we offer G Suite administrators many 2-step verification options (2SV). … We take the security of our corporate clients very seriously and are proud to be able to evolve industry best practices." security of accounts, not up to our own standards ".
Google is now informing G Suite administrators and indicating that it will also automatically reset passwords that have not yet been changed. The company discovered the bug in April and another password bug in plain text in May during its investigation. The latter accidentally stored passwords in clear text for new G Suite customers when their registration ends. This bug only came into effect in January 2019 and these undetected passwords were only kept for a maximum of 14 days. Google says that it has fixed the raw text bug of the main admin console and the most recent issue with regard to registration flow.
"Google generally has a decent experience in detecting and fixing bugs quickly, which is puzzling to see that this has been around since 2005," said David Kennedy, CEO of the TrustedSec enterprise intrusion testing company. "We've seen it with Twitter, Facebook, and many other organizations where legacy processes or applications cause clear-text passwords to be leaked internally, and even if they're internal." this always poses a problem of confidentiality and important security. "
Since all affected passwords that have not yet been changed will be reset automatically by Google, you need to focus on adding a two-factor authentication to your G Suite account, if you do not have it already – and maybe cross with these passwords. went unnoticed for 14 years.
More great cable stories
[ad_2]
Source link