Yes, thank you, Don, that would apply to cloud password vaults.
And password vaults, as Greg pointed out, are not all are created equal.
Also, I agree with Sam that username/password as the only verification is not adequate control.
But security needs to be accessible to everyone not just IT people. I would hate to bash anyone for choosing LastPass as I’m sure their intent was to be more secure not less. I hope, instead, that we use opportunities like this to have conversations with our community on how to make good choices, how to evaluate both technical and non-technical options, and create an environment where the non-IT community is comfortable asking a question and getting an answer that they understand and can apply to their situation.
College of Medicine Technology Services
Information Security Office
Hi Darcy ... Regarding storing UVM information with external services, this bit from the ISP has come in the past when reviewing requests to use cloud based services. Would this apply to passwords?
12.2.6. Externally Hosted Services
Information classified as critical or nonpublic (confidential, departmental, or internal) must not be stored on external services without a contract protecting the University's interests, approved by the ISO.
On 6/16/2015 1:14 PM, Pientka, Darcy wrote:
As the Interim ISO, I can tell you that the policy and procedures documentation is up to interpretation. Nowhere does it specifically exclude the use of password vaults like LastPass but it also makes it clear that any abuse of username/password is the responsibility of the account holder. (references below)
My personal opinion on password vaults is that they should be used only if you: have done research to indicate that the vendor is the best one for your needs, the vendor is reputable and stable with a good track record for security, there is no other way for you to handle all of your passwords securely and confidentially. I do not use a vault and will try to avoid them. But, if there was a choice between writing passwords in plain text on a sticky note or using a reputable password vault – I’d chose the vault.
In the Information Security Policy it states:
This means that, in accordance with the provisions articulated in this Policy and the Procedures, community members are responsible for their use or misuse of University Information and must protect the foregoing from unauthorized distribution, interception or access. Therefore, all members of the University community must comply with provisions in the Procedures that:
(d) Require them to safeguard all physical or electronic keys to University Information Systems or University Information, including, without limitation, requirements related to passwords, ID cards, computer/network account or electronic tokens;
The Acceptable Use policy states:
By accepting or using any UVM computer, network account or connection, or other information and communication technology services provided to him or her by the University, each User understands and agrees to the following …:
1. Account Responsibility: Individual Users are responsible for all uses of University-provided computers, network connections and accounts, and other information and communication technology services, including data backup and password maintenance, under the electronic identity assigned to them by the University.
And in the Information Security Procedures under Personal Responsibilty:
6.5. Individuals must safeguard all physical keys such as ID cards or electronic tokens, including computer account (NetID) passwords, that provide access to Protected University Information.
Under Employee Responsibilty:
7.3. Individuals must safeguard any physical key, ID card, computer/network account or electronic token that provides access to confidential information. This includes safeguarding computer account (NetID) passwords. Users are personally accountable for all network and systems access under their NetID and must keep their password absolutely secret. Passwords must never be shared with anyone, not even family members, friends, or technology support staff.
College of Medicine Technology Services
Information Security Office
I have to say whether you are using two-factor authentication or not, I would be very wary of putting something as sensitive as a password keychain under the full control of a cloud provider. I am sure the developes at LastPass have the best intentions, but we really only have their word that they are not doing something stupid and evil with your passwords.
I recognize that most folks likely are storing mostly personal (non-UVM) passwords in LastPass, but I suspect that storing UVM passwords in a cloud provider might construe a violation of University network security policy. Maybe. I would be interested to hear the ISO weigh in on this subject.
-J. Greg Mackinnon | ETS Systems Architecture and Administration | x68251
On 6/16/2015 12:16 PM, Joe Parent wrote:
LastPass supports multifactor authentication with Duo Security, as seen on their two-factor authentication page, https://helpdesk.lastpass.com/multifactor-authentication-options. Duo Security is one of the methods we’ve been testing for use on PeopleSoft two-factor, and it works nicely. You can setup Push, SMS, or land-line options so you don’t always need your mobile phone to make it work. See https://helpdesk.lastpass.com/multifactor-authentication-options/duo-security.
The technical details about just how/when LastPass performs two-factor are a little lacking, but I did find this in the FAQ (https://lastpass.com/support.php?cmd=showfaq&id=1826):
How does LastPass securely identify a trusted computer?
When you check the option to mark a device as "trusted", we create a random, unique identifier for that device. We then encrypt that ID using Windows "crypt protect data" functions, which encrypt the ID based on the user's credentials. This ensures that another user would not be able to decrypt it. We then store the encrypted ID on the hard drive, and store a hash of the ID on our server in a database. This is passed back after the user tried to login - the hash is compared with the hash of the ID after it has been decrypted (after the user enters their email address + master password). If they match, LastPass then skips the prompt for a multifactor authentication and logs in the user.
For mobile devices, LastPass uses a randomly generated id that is stored in secure phone storage.
From that I surmise that you only need to go through the two-factor process once per browser to make it a trusted device, although the above sounds like (on Windows computers anyway) it doesn’t matter which browser you use. Not sure how that’d correlate on a Mac, but I imaging a similar method is used. It’s also possible that you’d only need to go through the two-factor when you enter your master password to unlock your vault. I was going to set it up on mine and I can report back later.
ETS Client Services, UVM
So, which of the lengthy list of two part authentication methods do people recommend?
I have little experience but would like something that won’t hit me up for every login, only if something changes (unfamiliar device, remote IP).
I don’t have cell service at home, so having to use the phone to authenticate every time is going to be an issue. Unless that authentication also works over wifi under iOS?
Analysis from Ars Technica:
Hack of cloud-based LastPass exposes hashed master passwords
Users: Change your master password and enable 2-factor authentication immediately.
... Ars resident password expert Jeremi Gosney said the real-world risks the breach posed to end users was minimal. He based his assessment on the LastPass response to the breach and the system that was in place when it happened.
From: Technology Discussion at UVM [mailto:[log in to unmask]] On
Behalf Of Jacob Beauregard
Sent: Monday, June 15, 2015 7:07 PM
Subject: LastPass was breached
"We want to notify our community that on Friday, our team discovered and
blocked suspicious activity on our network. In our investigation, we
have found no evidence that encrypted user vault data was taken, nor
that LastPass user accounts were accessed. The investigation has shown,
however, that LastPass account email addresses, password reminders,
server per user salts, and authentication hashes were compromised."
CAS IT Administrator
UVM, College of Arts & Sciences
To submit a request for service please use:
Donald Tripp, PeopleSoft System Admin
Enterprise Application Services
and Information Security Operations
[log in to unmask] ~ 802-656-4104
~~ Need Help? join chat "peoplesoft"