LastPass Enterprise is a UW CISO approved browser-based password management tool.
Managed Workstation has published additional support documentation for their customers which you may find useful.
What is it?
LastPass Enterprise enables you to improve your password management practices, by allowing you to create secure passwords without requiring your team to remember long and complex passwords. As password cracking techniques become more sophisticated, implementing a password manager is an easy and robust method of keeping your sensitive data secure.
Using this service can improve your password management practices by:
- Providing secure methods to store and share passwords with those that need them
- Encouraging use and creation of long & complex passwords
- Preventing password entry on spoofed websites
- Automatically filling in passwords on websites
- Making it easy to reset passwords across many web-based services
- Reporting on at-risk passwords like where you have used simple passwords, reused the same password in multiple places, and in some cases when your password may have been compromised
Current eligibility and cost
- All UW employees with a valid budget are eligible to request a LastPass Enterprise Account
- Managed Workstation customers are currently eligible to enroll
- Non-MWS customers can also request accounts, though their team will first need to have an eligibility group created.
Note: This software is intended to have a small cost-recovery charge in the future, in the range of $1.50-2/month/user, but that cost very much depends on adoption numbers and could be quite a bit less. UW-IT is not yet prepared to charge eligible users, so use for eligible users at this time comes at no charge.
Adopting LastPass Enterprise
If you would like to try it out first before requesting an enterprise account, LastPass offers separate, free, accounts for personal use that can be linked to your enterprise account.
Managed Workstation Customers are able to enroll using the steps here. (MWS customers are anyone who is a member of an eligibility group as designated by their MWS customer account contact).
Non-MWS customers can also request accounts, though their team will first need to have an eligibility group created. More information on that process can be found here.
After initially requesting an account, a user will get an email (email@example.com) with a time-limited invitation to create their LastPass account, so they should know to expect the email. Using that invitation, you will create a LastPass Enterprise account password; there is no single-sign-on for LastPass Enterprise.
To complete account setup:
- UW Duo MFA is currently enabled on all LastPass accounts. This account controls access to passwords that likely can get to your most sensitive data–it deserves additional protection. Lastpass also supports a wide-variety of other multifactor options.
LastPass Enterprise Deprovisioning
Removing access to a LastPass Enterprise account when someone leaves the UW is an important step to restrict access to only those who should have access.
When you remove users from the eligibility group you provided when adopting, their UW LastPass account will be disabled, then deleted a month or so later. So when you remove users from your group be prepared for possible loss of password data if that info is only accessible to that user. Leveraging the LastPass Sharing features with UW Groups are a good mitigation for possibly unexpected data loss due to deprovisioning.
Using LastPass and Support
Here are some key tips on using LastPass Enterprise:
- Do not forget your Master Password. If you forget or lose the password to your LastPass Enterprise account, we can not reset your password or recover any of your stored data–we can only delete your account and provision a fresh account. This configuration is intentional–it ensures that no one else has access to your secrets.
- Support for this tool is expected to be done on a self-help basis using the LastPass Help Center and peer-to-peer discussions. If you’re unable to resolve an issue yourself, send a message to firstname.lastname@example.org with details. If you encounter an issue you think should be documented, please let us know.
- You might wonder what the business continuity is – what if you need a password you’ve stored in LastPass but they are completely offline? That’s addressed here and here; the short version is that all your data is cached & encrypted locally on the computer(s) you’ve used to access LastPass, so you can access it regardless.
- LastPass Free (personal) accounts are not associated with the UW. You can link free (personal) and enterprise (work) accounts, but UW LastPass administrators have no access to linked free accounts.
- UW LastPass administrators have no access to passwords stored in enterprise accounts. UW LastPass administrators can perform management activities such as deleting an account or removing 2FA, but your data can not be accessed by UW LastPass administrators.
- Once you have an account and have added some passwords, the Security Challenge will give you some valuable feedback on your password strength and, in some cases, whether any of your passwords may have been compromised.
- You can integrate UW Groups as a LastPass Group for the purpose of sharing folders. Changes to the UW group will automatically flow to the LastPass group. This process is documented here. Send a message to email@example.com to setup a synchronized group.
This technology will have additional user population adoption and expansion. Additional expansion and delivery of a cost-recovery mechanism is dependent on prioritization of a project. Support may broaden slightly as expansion happens.