[ad_1]
Oops, Google said Tuesday: do you know the tool of this domain administrator to reset passwords in the G Suite business product? The one we put in place in 2005, like 14 years ago?
We have blundered, says Google. The company stores copies of unstamped passwords – such as unencrypted, unencrypted passwords – all this time.
According to a blog post written by Suzanne Frey, vice president of engineering at Google:
We made a mistake while implementing this feature in 2005: The Admin Console was storing a copy of the unhashed password. This practice has not lived up to our standards.
Only a small portion of the businesses were affected, she added, although Google did not number it. People using the free version and the general public were not affected. Google informed a subset of its G Suite business customers that some of their passwords were stored in plain text in its encrypted internal systems.
Frey said there was no harm, as far as Google knows, and it has been corrected since:
To be clear, these passwords have remained in our secure encrypted infrastructure. This problem has been resolved and we have not found any evidence of incorrect access or misuse of the passwords concerned.
How does it work
Google usually treats passwords by encrypting them with a hash algorithm so that users can not read them. It then stores the hashed passwords with their user names. Then, the user names and hashed passwords are encrypted before being saved to disk.
The next time a user tries to connect, Google will scramble his password again with the same hash algorithm. If the result matches the stored string, Google knows that you must have entered the correct password to allow you to sign in.
As Frey explained, the beauty of the hash lies in the fact that it is one way: it is easy to scramble a password, but it is almost impossible to decipher it. So, if someone gets your password scrambled, he will not be able to go back on your real password. Assuming it's also salty. A salt is a random string added to a password before it is encrypted.
Salt is not a secret. It's just there to make sure that two people with the same password get different hashes. This prevents hackers from using pre-computed hash tables to decrypt passwords and check the crosshair frequency with the popularity of passwords. (In an unsalted hash database, the most common hash is probably the chopped version of the famous "123456", for example.)
The disadvantage of this one-way password hash street is that you are not lucky if you forget your password: Google can not help you by deciphering your password for you. What it can do is reset your password to a temporary password, make it valid only for one-time use, then require you to choose a new one.
Anyway, this is how things should work, although we have seen many cases where forgetful users receive their password in plain text by e-mail: an indication that their passwords are stored , in plain text, unsalted and not chopped.
Goodbye, dandy password recovery tool very convenient
To avoid storing passwords in clear text and still be able to help users who forgot their password, Google introduced in 2005 a tool to set a password and recover it in G Suite.
This tool, located in the Admin Console, allows administrators to manually download or set passwords for users in their organization. The intention of Google behind the introduction of this tool was to help the integration of new users, for example when a new employee needs an account the first day he starts working, as well as for account recovery.
Well, we can kiss that goodbye. Google has removed the feature.
But wait, it's more: Google indicates that, when troubleshooting its new G Suite client registration feeds, it discovered that as of January 2019, it had also inadvertently stored a subset of words unchecked password in its secure encrypted infrastructure. Passwords were there for up to 14 days. This problem has also been fixed. And like the other little problem, this second problem apparently did not lead anyone to enter the passwords.
Sorry, Google said: we will try to make sure this incident is isolated.
So, not isolated in the broader scheme of password storage
Unfortunately, it's not quite isolated from the tech giants – or even the little guys – who store unencrypted passwords in plain text. In March, user data acquired via Facebook by third-party applications was dragging in the cloud.
Initially, the damage would affect hundreds of millions of Facebook Lite users, tens of millions of Facebook users and tens of thousands of Instagram users.
Oops – make that millions of Instagram users, Facebook continued in April, as in, 100 times more than we thought.
The moral of this story is that technology giants like Google and Facebook are screwing up and storing passwords in plain text, making it a pretty solid bet for any other smaller online service that uses less technology. Clever and much less security engineers and do the same thing, whether by mistake or because they do not know better.
The passwords in clear are = bad. Passwords in plain text = not so rare.
Therefore, two-factor authentication (2FA) = a good way to save your bacon. Apply it wherever you can: 2FA security keys, or U2F (Universal 2nd Factor) keys, mean that a password is not enough to allow scammers to plunder your account.
[ad_2]
Source link