I keep most of my non-UVM passwords in a password protected Excel file, saved on Google Drive, secured by Google's two-factor authentication. I use two-factor authentication wherever I can, but unfortunately many/most places still don't have it, and force you to answer security questions whose answers could be easily discovered or guessed or would be already known to people who know me. I have started making up phony answers to the security questions, which means I have to record them somewhere too; they are also going into my Excel file. I have considered using a password vault/app for quite some time, and have read lots of reviews of the various services. All of the ones I have looked at have some feature that I don't like. And then there is the huge amount of work it would take to transfer all my existing passwords.

My UVM passwords and my Google password are not recorded anywhere. I have several UVM accounts (including NetID, .adm, -tech, and two departmental accounts). I have resisted the temptation of using the same password for all of the UVM accounts, but I sometimes have trouble remembering the ones that are used less frequently. And it's a huge ordeal whenever I have to change them. It takes lots of thought and experimentation to come up with new passwords that adhere to the rules, can be easily remembered, and are easy to type. I sometimes end up with passwords that I end up hating because of typing difficulty, but I keep them for a year until I'm forced to change again.

I really wish passwords would die already. Heck, I'd be willing to have a chip implanted in my wrist if it meant I never had to deal with passwords again.

On 6/17/2015 11:23 AM, Ernie Buford wrote:
[log in to unmask]" type="cite"> I don't want to bash LastPass users either, but apparently they are in violation of University policy (unless they have an ISO-approved contract in place).

In the spirit of fostering good security choices by offering understandable and applicable information in a manner that is comfortable to the "non-IT community", what do you security gurus recommend?

Darcy doesn't use a vault. Sam says the password is dead. How do you operate in an online world where everything requires a username and password?

I agree with Greg on LastPass, by the way, but I can't say that I'm above using a vault. I don't know how I would get along (securely) without one.


On 6/17/2015 8:30 AM, Pientka, Darcy wrote:
[log in to unmask]" type="cite">

Yes, thank you, Don, that would apply to cloud password vaults.

And password vaults, as Greg pointed out, are not all are created equal.

Also, I agree with Sam that username/password as the only verification is not adequate control.

But security needs to be accessible to everyone not just IT people. I would hate to bash anyone for choosing LastPass as Iím sure their intent was to be more secure not less. I hope, instead, that we use opportunities like this to have conversations with our community on how to make good choices, how to evaluate both technical and non-technical options, and create an environment where the non-IT community is comfortable asking a question and getting an answer that they understand and can apply to their situation.

From: Technology Discussion at UVM [mailto:[log in to unmask]] On Behalf Of Don Tripp
Sent: Tuesday, June 16, 2015 3:24 PM
To: [log in to unmask]
Subject: Re: LastPass was breached

Hi Darcy ... Regarding storing UVM information with external services, this bit from the ISP has come in the past when reviewing requests to use cloud based services. Would this apply to passwords?

12.2.6. Externally Hosted Services
Information classified as critical or nonpublic (confidential, departmental, or internal) must not be stored on external services without a contract protecting the University's interests, approved by the ISO.

- Don