Skip to main content
IT Connect

Information technology tools and resources at the UW

Password Manager

LastPass Enterprise is a UW CISO approved browser-based password management tool.

Managed Workstation has published additional support documentation for their customers which you may find useful.

Current eligibility and cost

  • UW-IT staff are eligible to use it
  • Other IT staff at the UW are permitted to request eligibility
  • Managed Workstation customers are eligible to use it

Note: This software is intended to have a small cost-recovery charge in the future, in the range of $1.50-2/month/user, but that cost very much depends on adoption numbers and could be quite a bit less. UW-IT is not yet prepared to charge eligible users, so use for eligible users at this time comes at no charge.

What is it?

Using this service can improve your password management practices by:

  • providing secure methods to store and share passwords with those that need them,
  • encouraging use and creation of long & complex passwords,
  • preventing password entry on spoofed websites,
  • automatically filling in passwords on websites,
  • making it easy to reset passwords across many web-based services, and
  • reporting on at-risk passwords like where you have used simple passwords, reused the same password in multiple places, and in some cases when your password may have been compromised

Adopting LastPass Enterprise

If you would like to try it out first before requesting an enterprise account, LastPass offers separate, free, accounts for personal use that can be linked to your enterprise account.

Anyone eligible can request an account, but we encourage entire teams to adopt it. If you need to request eligibility, create a UW Groups group with the users you’d like to be eligible and send the groupid in a request to help@uw.edu. This group probably should be a dedicated group, i.e. its only purpose to track who is eligible for LastPass.

If you are eligible, to adopt:

Those who request an account will get an email (uwnetid@uw.edu) with a time-limited invitation to create their LastPass account, so they should know to expect the email. Using that invitation, you will create a LastPass Enterprise account password; there is no single-sign-on for LastPass Enterprise.

To complete account setup:

  • We encourage enabling second-factor authentication on your Lastpass account. Passwords are the key to a variety of sensitive data, so carefully consider adding this additional protection. Lastpass supports a wide-variety of multifactor options, including Duo. However, at this time the UW Duo administrators have not yet enabled it for use with our LastPass Enterprise accounts. We do not have an ETA on when they will enable use with LastPass. In the meantime, you can choose to use consumer 2FA solutions such as Google Authenticator.

LastPass Enterprise Deprovisioning

Removing access to a LastPass Enterprise account when someone leaves the UW is an important step to restrict access to only those who should have access.

When you remove users from the eligibility group you provided when adopting, their UW LastPass account will be disabled, then deleted a month or so later. So when you remove users from your group be prepared for possible loss of password data if that info is only accessible to that user. Leveraging the LastPass Sharing features with UW Groups are a good mitigation for possibly unexpected data loss due to deprovisioning.

For UW-IT users, there is a business process which removes users from uw_it_all, which would in turn remove them from u_passman_users_eligible. The underlying business process has some latency in it, so if your tolerance for latency is more sensitive than that business process, you will need to contact help@uw.edu for manual action.

Using LastPass and Support

Here are some key tips on using LastPass Enterprise:

  • Do not forget your Master Password.  If you forget or lose the password to your LastPass Enterprise account, we can not reset your password or recover any of your stored data–we can only delete your account and provision a fresh account. This configuration is intentional–it ensures that no one else has access to your secrets.
  • Support for this tool is expected to be done on a self-help basis using the LastPass Help Center and peer-to-peer discussions.  If you’re unable to resolve an issue yourself, send a message to help@uw.edu with details. If you encounter an issue you think should be documented, please let us know.
  • You might wonder what the business continuity is – what if you need a password you’ve stored in LastPass but they are completely offline? That’s addressed here and here; the short version is that all your data is cached & encrypted locally on the computer(s) you’ve used to access LastPass, so you can access it regardless.
  • LastPass Free (personal) accounts are not associated with the UW. You can link free (personal) and enterprise (work) accounts, but UW LastPass administrators have no access to linked free accounts.
  • UW LastPass administrators have no access to passwords stored in enterprise accounts. UW LastPass administrators can perform management activities such as deleting an account or removing 2FA, but your data can not be accessed by UW LastPass administrators.
  • Once you have an account and have added some passwords, the Security Challenge will give you some valuable feedback on your password strength and, in some cases, whether any of your passwords may have been compromised.
  • You can integrate a UW Group as a LastPass Group for the purpose of sharing folders. Changes to the UW group will automatically flow to the LastPass group. Send a message to help@uw.edu to setup a synchronized group.

Future

This technology will have additional user population adoption and expansion. Additional expansion and delivery of a cost-recovery mechanism is dependent on prioritization of a project. Support may broaden slightly as expansion happens.

Tags: