[log in to unmask]" type="cite"> I don't want to bash LastPass users either, but apparently they are in violation of University policy (unless they have an ISO-approved contract in place).
In the spirit of fostering good security choices by offering understandable and applicable information in a manner that is comfortable to the "non-IT community", what do you security gurus recommend?
Darcy doesn't use a vault. Sam says the password is dead. How do you operate in an online world where everything requires a username and password?
I agree with Greg on LastPass, by the way, but I can't say that I'm above using a vault. I don't know how I would get along (securely) without one.
On 6/17/2015 8:30 AM, Pientka, Darcy wrote:
[log in to unmask]" type="cite">
Yes, thank you, Don, that would apply to cloud password vaults.
And password vaults, as Greg pointed out, are not all are created equal.
Also, I agree with Sam that username/password as the only verification is not adequate control.
But security needs to be accessible to everyone not just IT people. I would hate to bash anyone for choosing LastPass as Iím sure their intent was to be more secure not less. I hope, instead, that we use opportunities like this to have conversations with our community on how to make good choices, how to evaluate both technical and non-technical options, and create an environment where the non-IT community is comfortable asking a question and getting an answer that they understand and can apply to their situation.
Hi Darcy ... Regarding storing UVM information with external services, this bit from the ISP has come in the past when reviewing requests to use cloud based services. Would this apply to passwords?
12.2.6. Externally Hosted Services
Information classified as critical or nonpublic (confidential, departmental, or internal) must not be stored on external services without a contract protecting the University's interests, approved by the ISO.