Viewing a Google users password

[Alexander Grutza]

So it was just brought to my attention that the previous Sysadmin/Manager where I worked had a tool that would allow him to view the password(s) of a Google user.

Does anyone know if that's related to GAM and outputting plaintext or a hash of the password? Or some other tool like a base64 decoder?

[Jay Lee]

It is not possible to view a user's Google password. The only way such a tool could possibly work is to store the password somewhere else when setting it in Google for the user.

What are you actually trying to do?

Jay Lee

On Fri, Jan 28, 2022 at 11:56 AM 'Alexander Grutza' via GAM for Google Workspace <google-ap...@googlegroups.com> wrote:

So it was just brought to my attention that the previous Sysadmin/Manager where I worked had a tool that would allow him to view the password(s) of a Google user.

Does anyone know if that's related to GAM and outputting plaintext or a hash of the password? Or some other tool like a base64 decoder?

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/9a9385b8-c957-4959-9d88-b2cd19aa4881n%40googlegroups.com.

[Alexander Grutza]

It was brought up with some talk about testing of user accounts.

Typically I'd agree, but from previous jobs we were able to export a has of a password (it wasn't from Google, but another system/program), then use a base64 decoding program to convert to plain text.

It sounds like they had an actual tool tool here for Google (not some spreadsheet or other password generating system that kept logs), so I was wondering if anyone had heard of this related to Google

[Alexander Grutza]

I suppose that we had access to the password hash at my previous job, and Google doesn't seem to provide a hash of any kind which would make it (in theory) impossible to get the hash and de-hash it. Thought I'd ask

[Jay Lee]

I can state with certainty that Google does not allow you to read user passwords or a hash of a user password. Also, hashing is a one-way operation by design, a hash cannot be "de-hashed" without knowing the original password or brute forcing it which, with modern salted hash algorithms, is not feasible to do even with supercomputers. If you'd like to understand more about hashing I suggest you read through:

https://www.thesslstore.com/blog/difference-encryption-hashing-salting/#:~:text=Hashing%20is%20not.-,What%20is%20Hashing%3F,-Hashing%20is%20the

Jay Lee

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/bf52e754-0ad1-4ffd-823c-8a31de852b0bn%40googlegroups.com.

[Alexander Grutza]

I won't argue on the Google part and perhaps I'm using the term hash incorrectly after reading. I think I mean encrypted/decrypted. We were able to decrypt an encrypted password at a previous employer of mine without knowing what the password was (obviously) or brute-forcing it. We did it often enough because of the type of work we did. However, the software was all developed in-house (aside from the Linux OS we used: RedHat and SUSE) so that is most likely why we were able to obtain the encrypted password and then decrypt it using a base64 program.

[Jay Lee]

Using encryption on a password rather than hashing is insecure and leads to security breaches. Google uses hashes.

Logging in as your users is bad IT practice (though I agree it's sometimes been the only solution in the past). Instead, you want to look at using tools like GAM and the admin console to manage your user's and their data from your admin login. This avoids poor security practices like password sharing and it leaves you with accurate logs should the org need to audit "who did what" in the future.

Jay Lee

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/3b9fdff2-dda8-4cac-9ff2-d4ac23bf6c61n%40googlegroups.com.

[Matt Colwell]

There are utilities you can use that will compare a hashed password against a rainbow table.  Ethical uses for such tools would look for common hashes for passwords like "password" or "qwerty", and then alert the user and/or admin of a weak or pwned password.  Google does a bit of this nowadays, as I'll get alerts from time to time about a user who's credentials were discovered somewhere on the interwebs.

I've also personally seen SSO and user login portals capture users passwords to preform the above mentioned operations.

[Jay Lee]

@Matt Cowell - that's what salting is for. As long as the salt is random and not pre-known you can't use a rainbow table.

Jay Lee

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/d2bf6345-eb59-4fd5-99b5-df76f4166ce4n%40googlegroups.com.

[Matt Colwell]

@Jay Lee

Totally agree, but I'm sad to say that a lot of the systems I use have only started salting in the past few years.

[Steve Carrington]

Could it be that the passwords were actually stored on the Active Directory side and then synced with Google?

I work in public ed.  We set the passwords in AD for the students and they sync up to Google.

We know what we have set in AD and we do not allow the students to change the password in Google.

We do allow students to change the password in AD and then it syncs with Google and we no longer know what their passwords are.

But, maybe in this previous location you did not allow self-serve AD password changes?

On Fri, Jan 28, 2022 at 10:56 AM 'Alexander Grutza' via GAM for Google Workspace <google-ap...@googlegroups.com> wrote:

So it was just brought to my attention that the previous Sysadmin/Manager where I worked had a tool that would allow him to view the password(s) of a Google user.

Does anyone know if that's related to GAM and outputting plaintext or a hash of the password? Or some other tool like a base64 decoder?

--

You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/9a9385b8-c957-4959-9d88-b2cd19aa4881n%40googlegroups.com.

--

Steve Carrington
Chief Information Officer
Murphysboro CUSD #186
McElvain School
593 Ava Road
Murphysboro, IL  62966
V - 618-684-3781 X 6116
F - 618-684-2465

THIS TRANSMISSION IS INTENDED AND RESTRICTED FOR USE BY THE ABOVE ADDRESSEE ONLY.  IT MAY CONTAIN CONFIDENTIAL AND/OR PRIVILEGED INFORMATION EXEMPT FROM DISCLOSURE  UNDER FEDERAL OR STATE LAW. IN THE EVENT SOME OTHER PERSON OR ENTITY RECEIVES THIS  TRANSMISSION, SAID RECIPIENT IS HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION,  OR DUPLICATION OF THIS TRANSMISSION OR ITS CONTENTS IS PROHIBITED. IF YOU SHOULD RECEIVE  THIS TRANSMISSION IN ERROR, PLEASE CALL US IMMEDIATELY AT 618-684-3781, DELETE THE FILE FROM YOUR SYSTEM, AND DESTROY ANY HARD COPIES OF THIS TRANSMISSION. THANK YOU.

Murphysboro Community Unit School District #186
Murphysboro, Illinois