Biz app login details encrypted at rest, though, ad giant insists
Google admitted Tuesday its paid-for G Suite of cloudy apps aimed at businesses stored some user passwords in plaintext albeit in an encrypted form.
Hashing is a standard industry practice that protects credentials by scrambling them using a one-way encryption algorithm.
Google was at pains to stress it was the enterprise non-consumer version of G Suite affected, and that the passwords were encrypted at rest on disk – though, we note, hashing them would have fully secured the sensitive info.
That feature, designed for IT staff to help new colleagues set their passwords and log in, did not hash these passwords.
The second involves recording some user passwords in plaintext on disk, as they logged in, and keeping these unhashed credentials around for 14 days at a time, again encrypted at rest.