On Tuesday, Google VP of engineering Suzanne Frey announced in a blog post that the company discovered that they were accidentally storing a “small percentage” of G Suite users’ passwords in plaintext.
Unfortunately, like most issues in cybersecurity, Google’s announcement is just the tip of the iceberg. The major tech firms like Facebook, Twitter, Github, and now Google, that have gone public with these mistakes are definitely not the only companies that are making them—they are just the ones with the security resources and processes to discover these problems and the courage to go public.
In each of the cases mentioned above, the companies found and fixed the issues leading to plaintext storage before anyone took advantage of them to steal users’ passwords—as far as we know. But evidence of such abuse or unauthorized access is not always easy to find, and in Google’s case the passwords were available for 14 years.
I expect that we will start to see more cases where attackers find these problems before the company does. It is very likely this is already happening, but we just don’t find out about most breaches since they go undetected or unreported. Passwords are a major target for cyber criminals because they can often be used to hijack users’ accounts at the breached company and at other websites where people have reused the same passwords.
Usually, when hackers steal a password database the passwords have been protected by a one-way hash function, which requires time and energy (and therefore money) to find the original plaintext. These accidental plaintext passwords that are showing up in logs and internal tools are therefore almost too good to be true for people who make a living hacking companies.
The problem is rooted in how we use passwords as “shared secrets.” Passwords are supposed to be these unique private values that only the owner knows, but then we have to send them to the dozens of websites we use where company servers see and store them. Sharing a secret is a great way for that information to stop being secret, which is what is happening with passwords. As long as companies continue to collect and store passwords, hackers will target that data and look to take advantage of plaintext accidents.