Passwords are hard to manage. People often struggle to create unique, complex passwords for every account they need to protect, and companies regularly fail to protect those passwords. Case in point: Google’s announcement on Tuesday that it stored the passwords of some G Suite users in plain text from 2005 to 2019.
Most systems automatically “hash” passwords to make them nearly indecipherable to hackers. That way if someone compromises a target system they’ll be left with a bunch of gobbledygook that most hackers couldn’t do anything with. A 2005 update to G Suite meant to help users recover their passwords accidentally stopped that hashing.
The passwords were still kept on Google’s encrypted systems, but that’s not particularly comforting, because employees might have been able to access the unhashed passwords. Hashing isn’t just supposed to stymy hackers; it’s also supposed to help protect people from the companies they’re trusting with their data.
Google said the issue only affected its business customers, so consumers shouldn’t have to rush to change their passwords. The company also notified affected customers and will automatically reset any accounts that don’t change their passwords themselves. (Pour one out for the IT departments that have to manage that kerfuffle.)
There was no indication that any of the passwords were misused, Google said, which means resetting the accounts would mostly be a precautionary measure. Hopefully it would ultimately be unnecessary, but it’s best not to assume when it comes to the security of accounts used by large companies around the world.
Hashing is a basic requirement for any company whose users rely on passwords to protect their accounts. But Google isn’t even the only tech juggernaut to fail in this regard—Facebook left up to 600 million user passwords (and millions of Instagram passwords) similarly unguarded. Even the basics of password security can be elusive.