
Google Just Admitted Storing Passwords as Plain Text for 14 Years - rayascott
https://www.inc.com/bill-murphy-jr/google-just-announced-its-been-making-an-astonishing-mistake-for-literally-past-14-years.html
======
x38iq84n
Unbelievable.

Now it's Google, last time it was Fb, we are talking about the richest
companies ever in existence. Why is it so hard to have internal pen testers
who would discover such fk-ups as storing passwords in plain text? These
companies need internal teams actively challenging the security of their
products and services - something they don't seem to be doing now, or maybe
they do but are not very good at it.

~~~
bristleworm
You know what I don't get? I simply can't understand why, at any point of
development, passwords would be stored in plain text in the first place. I
mean, there is no good reason to do this.

~~~
ColinWright
There is.

The output of cryptographic functions is, by its very nature, random-looking
and effectively untestable. To have a flag that allows you to replace the
hashing with a "pass through" function is valuable for the purpose of ensuring
that your code is doing the right thing.

A fundamental principle of cryptography is that it's nearly impossible to tell
if a hashing function is working properly - it's output is _intended_ to "look
random."

When I develop systems like this I always have a flag that gets used
everywhere I mock a cryptographic function, and that flag also turns on a HUGE
BANNER in the output. It might not be impossible, but it's very, very
difficult for the non-secure version to get deployed.

The situation is more nuanced than that, but there definitely is a reason to
have this kind of insecure code in existence. The trick is making sure it's
effectively impossible for it to go live.

------
ColinWright
The second paragraph:

> _Rather than "hashing" passwords -- basically replacing the text with a
> string of seemingly random letters that can only be deciphered with a code
> -- Google says ..._

No. The hashed password can _never_ be "deciphered". That's part of the point
of using a cryptographic hash.

Am I alone that I find basic errors like this really annoying?

~~~
mgambero
No, you're not alone. That sentence in that piece is embarassing.

