Because we must assume every database might get breached, plain text passwords should not be stored anywhere. Instead, the password should be hashed, which is a one-way algorithm, preferably using an algorithm that is slow to calculate and using different and long salt for every password. There are many articles explaining these methods in general, including CrackStation: Salted Password Hashing – Doing it Right.
Unless Google has documented it somewhere (or the hashes were breached) we could not tell details about their implementation. We can only trust this giant is treating our passwords properly. But everybody makes mistakes, and even Google was actually storing plain text passwords in one of their solutions for 15 years (2005–2019). From Suzanne Frey: Notifying administrators about unhashed password storage:
Google’s policy is to store your passwords with cryptographic hashes
that mask those passwords to ensure their security. However, we
recently notified a subset of our enterprise G Suite customers that
some passwords were stored in our encrypted internal systems unhashed.
This is a G Suite issue that affects business users only–no free
consumer Google accounts were affected–and we are working with
enterprise administrators to ensure that their users reset their
Knowing this, as a user you should:
- Use a different password for every service. If one gets breached it does not affect all the others.
- Use strong, long passwords. If a hashed version of a password leaks, it will slow down the process of offline brute-forcing it.
To achieve both, using a password manager is recommended.