A lot of things have changed since 2005. But with an admission that can only be characterized as astonishing, Google just said it’s been making the same security mistake with some users’ passwords, for literally 14 years.
Rather than “hashing” passwords — basically replacing the text with a string of seemingly random letters that can only be deciphered with a code — Google says it accidentally stored an undisclosed number of passwords belonging to users of its paid G Suite email and apps in plain text.
Here’s the problem in Google’s own words:
Google’s policy is to store your passwords with cryptographic hashes that mask those passwords to ensure their security. However, we recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed.
…
We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards.
Google didn’t say when it first realized the mistake, although it does reference a second, similar issue that apparently became apparent in January. Google also says there’s no evidence that anyone’s passwords actualy were accessed.
“We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials.”
We should reiterate that if you’re simply using the free version of Gmail, this wouldn’t have affected you; instead it’s some portion of paid G Suite users whose passwords were stored incorrectly.
Google didn’t say exactly how many people would have been affected. We do know however that in February, Google celebrated having 5 million G Suite corporate customers, each of which one assumes would have at least a few employees each.
If you’re affected, you should already have been notified, according to Google — or, perhaps more accurately, the employer that subscribed to G Suite should have been notified.
Now, there are a few things to point out, in fairness. The first is that it’s not all that shocking to see this kind of error. I think that at this point, we’re sort of inured to reports that our privacy, personal information and passwords are just out there, for all the world to see.
As Wired noted, Twitter, had to announce in May 2018 that it had “identified a bug that stored passwords unmasked in an internal log,” that led it to advise all 300 million of its users to change their passwords.
Facebook said in March that it has stored “hundreds of millions” of user passwords in plain text, and then last month, Instragram announced that millions of its own users were affected as well.
And the second thing worth pointing out in Google’s defense is simply the robust blog post it put out explaining the problem. Their announcement is nearly 700 words, and does a good job of explaining how the one-directional cryptography that Google is supposed to be using results in these long series of hashed numbers.
It also explains why Google (or any other company doing this securely) should never be able to tell you your password; instead if you forget, you should always have to be prompted to create a new one.
But, the fact that this apparently went undected for 14 years — and was then an important enough error to post this public warning and mea culpa — is what’s most fascinating.
Think back to 2005, when Google first made the error. What was life like for you then?
- Facebook wasn’t really a thing yet; Twitter wouldn’t launch for another year. The iPhone was three years away. I think the guys who started Snap were still in middle school.
- Youtube had just launched, Gmail was still in beta, and Google itself had only been a public company for a year.
- In the world of sports, if that’s your thing, Steph Curry was still in high school, the NHL canceled its season, and the New Orleans Saints had to play all their games on the road due to Hurricane Katrina.
- Personally, I was just out of the army and starting my writing career. It would be another seven years before I got together with my future wife, and almost a decade before I became a dad. (Just for fun, feel free to tell me what you were doing then.)
And for all that time, Google now says it was making this one simple error, over and over and over. It just makes me wonder what other big thing is going on right now — at Google or anywhere else — and that we won’t discover until the year 2033.
