Print

Print


I would like to see some research on this topic.  My bet is that anyone using a vault (LastPass, keepass, etc.) is far, far less likely than the general population to suffer a security incident because like Greg, they never use the same password twice (LastPass has some nice features that check the security of your passwords).  We should keep in mind that even with LastPass we have no evidence that anyone was actually affected by the most recent incident, and the company notified customers immediately.  By comparison I have been issued a new credit card 3 times in the last 5 months due to breaches at various retailers, most of which were not detected for months.  
ó
Jarlath OíNeil-Dunne
University of Vermont | Spatial Analysis Lab



> On Jun 17, 2015, at 4:33 PM, Greg Kuchyt <[log in to unmask]> wrote:
> 
> We use keepass pretty extensively in SAA.
> 
> http://keepass.info/
> 
> I use two different vaults with creds for work that stays on my laptop
> and a personal vault with all my online passwords. For the most part I
> don't know any of my passwords, they are all randomly created passwords
> generated by keepass. I enable two-factor where available and needed.
> 
> I keep my personal vault in sync with my phone with btsync.
> 
> On 6/17/15 11:23 , Ernie Buford wrote:
>> I don't want to bash LastPass users either, but apparently they are in
>> violation of University policy (unless they have an ISO-approved
>> contract in place).
>> 
>> In the spirit of fostering good security choices by offering
>> understandable and applicable information in a manner that is
>> comfortable to the "non-IT community", what do you security gurus recommend?
>> 
>> Darcy doesn't use a vault. Sam says the password is dead. How do you
>> operate in an online world where everything requires a username and
>> password?
>> 
>> I agree with Greg on LastPass, by the way, but I can't say that I'm
>> above using a vault. I don't know how I would get along (securely)
>> without one.
>> 
>> E
>> 
>> On 6/17/2015 8:30 AM, Pientka, Darcy wrote:
>>> 
>>> Yes, thank you, Don, that would apply to cloud password vaults.
>>> 
>>> 
>>> 
>>> And password vaults, as Greg pointed out, are not all are created equal.
>>> 
>>> 
>>> 
>>> Also, I agree with Sam that username/password as the only verification
>>> is not adequate control.
>>> 
>>> 
>>> 
>>> But security needs to be accessible to everyone not just IT people. I
>>> would hate to bash anyone for choosing LastPass as Iím sure their
>>> intent was to be more secure not less. I hope, instead, that we use
>>> opportunities like this to have conversations with our community on
>>> how to make good choices, how to evaluate both technical and
>>> non-technical options, and create an environment where the non-IT
>>> community is comfortable asking a question and getting an answer that
>>> they understand and can apply to their situation.
>>> 
>>> 
>>> 
>>> 
>>> *From:*Technology Discussion at UVM [mailto:[log in to unmask]]
>>> *On Behalf Of *Don Tripp
>>> *Sent:* Tuesday, June 16, 2015 3:24 PM
>>> *To:* [log in to unmask]
>>> *Subject:* Re: LastPass was breached
>>> 
>>> 
>>> 
>>> 
>>> Hi Darcy ... Regarding storing UVM information with external services,
>>> this bit from the ISP has come in the past when reviewing requests to
>>> use cloud based services. Would this apply to passwords?
>>> 
>>> 
>>>    12.2.6. Externally Hosted Services
>>>    Information classified as critical or nonpublic (confidential,
>>>    departmental, or internal) must not be stored on external services
>>>    without a contract protecting the University's interests, approved
>>>    by the ISO.
>>> 
>>> 
>>> - Don
>>> 
>> 
>