قالب وردپرس درنا توس
Home https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ Technology https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ Google has saved some passwords in plain text since 2005

Google has saved some passwords in plain text since 2005



It happened again: Google announced today that it is the latest technological giant that accidentally saved user passwords in plain text. G Suite users, please be aware.

Google says the bug has affected "a small percentage of G Suite users," meaning it doesn't affect individual consumer accounts, but affects some business and business accounts that have their own risks and sensitivities. The company typically stores passwords on its servers in a cryptographically encrypted state known as a hash. However, an error in the G Suite & # 39; password recovery function for administrators caused unprotected passwords to be stored in the infrastructure of a control panel, called the admin console. Google has disabled the features that contained the error.

Prior to that, the passwords would have been available to authorized Google staff or malicious interlopers. Each organization's administrator could also access the plaintext passwords of the account holders in their group.

"The fact that this was around since 2005 and was not caught is disturbing."

David Kennedy, TrustedSec

Twitter and Facebook have over the last 1

8 months processed plaintext password bugs. But where the two companies both concluded that it was not necessary to automatically reset user passwords, Google took the step "out of an abundance of caution." At that time, Twitter would not comment on how long it had stored the user's passwords in plain text. Facebook's bug dated back to 2012.

However, Google's error has existed since 2005-a year before "Google For Work" even became an official offer. And while the company emphasizes that it has no evidence that the plaintext passwords were ever accessed or misused, it is 14 years for sensitive data to hang unnoticed.

"Our authentication systems operate with many layers of defense beyond the password, and we implement many automated systems that block malicious enrollment attempts, even though the attacker knows the password," says Google Vice President of Engineering Suzanne Frey in a blog post. "In addition, we provide G Suite – Administrators allow for many two-step verification (2SV) options. … We take security of our corporate customers extremely seriously and trust in promoting the industry's best account security practices. Here we have done We do not live up to our own standards. "

Google is informing G Suite administrators and says it will automatically reset the affected passwords that haven't already changed. The company discovered the error in April and an extra plaintext password error in May during its The latter, unfortunately, stored plaintext passwords for new G Suite customers when they completed their registration, this error only came into effect in January 2019, and these inappropriate passwords were only stored for a maximum of 14 days, Google says it has resolved both the primary admin console-plaintext error and the latest sign-up problem.

"Google typically has a decent track record to catch errors quickly and fix them, so the fact that this was around since 2005 and was not caught is worrying, "says David Kennedy, CEO of the company penetration test firm TrustedSec." We've seen this with Twitter, Facebook and several other organizations where legacy p Rocces or applications provide clear text entry codes to be exposed internally. And even if it's only internal, it still creates significant privacy and security. "

Since all affected passwords that haven't already changed, Google will automatically reset you, you should focus on adding two-factor authentication to your G Suite account, if you don't already have it – and maybe cross your fingers that these passwords went unnoticed for 14 years.


More Great WIRED Stories


Source link