Updates

From: Division of Information Technology
Date: 03/30/2023
Headline: An update on Password Manager services at Virginia Tech

For several years LastPass has been a leader in the Password Manager market. However, shortly after Virginia Tech rolled LastPass out to all employees (October 2022), LastPass announced that a severe breach had occurred dating back to August 2022. This development led Virginia Tech to halt further deployment of LastPass to students and university affiliates in 2023. 

LastPass has been disappointingly slow to release details of the breach, drawing much criticism from the user community and in the news for their lack of transparency. Recently, new information was released that gave more detail on how their systems were breached, and the information on security lapses in their internal practices was concerning.

For this reason, we are exploring the viability of continuing to use LastPass as our enterprise password management solution or pursuing other alternatives. In addition, we are taking the following actions:

  • The LastPass stakeholder group, led by Secure Identity Services in the Division of IT will reform as the Password Manager Working Group. The group includes representatives from the Division of IT and Distributed IT.
  • The working group will reach out to other universities and collect information on what actions they are taking and what other password managers they are using. 
  • The working group will develop a survey of Virginia Tech LastPass users and the IT communities at Virginia Tech to collect input on what other password managers are in use or should be considered for use in the future, as well as what features are important to the user community. The survey is expected to launch in the next few weeks.
  • We will engage with LastPass on how to fully disable invitation reminders. The content and frequency of these emails are controlled by LastPass.
  • Our LastPass license will be renewed for another year while we explore future options. 
  • The working group will monitor further information from LastPass and engage with LastPass account representatives regarding the actions that LastPass is taking to remediate their security weaknesses. This information will be used to evaluate the potential of continuing to use LastPass in the future. 
  • The rollout of LastPass to students and affiliates has been indefinitely postponed, and will only resume if a decision is made to remain with LastPass as our enterprise password manager service.

 

The working group will work to complete the above actions within the next six months and finalize a service recommendation so there is adequate time to implement a potential vendor change or sunset of LastPass before the next license renewal for LastPass. In the meantime, we want to highlight that the use of LastPass is not mandatory and users are free to discontinue use at their discretion.

 

 

From: Division of Information Technology
Date: 01/09/2023
Headline: LastPass users encouraged to change passwords stored in LastPass to protect accounts

In December 2022 LastPass announced a breach of their services. Unknown actors were able to obtain backup versions of user vaults (an individualized data store of websites, usernames, and passwords), which included both unencrypted and encrypted information. Until LastPass can provide information on which vaults were obtained, we must assume that all vaults were obtained. 

As you may know, Virginia Tech was in the process of rolling out LastPass to portions of the university community. While we get clarity on the extent and long-term effects of this breach and the corporate response to it, we are pausing this rollout. We recommend that current users follow the guidance provided below. We still maintain that using a password manager is a valuable security measure that encourages the use of complex passwords, and plan to continue rolling out LastPass accounts to the university once a satisfactory assessment is completed.

Key information and guidance for LastPass users:

  • What was obtained in the breach?
    • Copies of user vaults that include both unencrypted data such as website URLs and encrypted data such as usernames and passwords, secure notes, or form-filled data.
  • What did they NOT get?
    • The attackers did not get the encryption keys that are used to encrypt stored usernames and passwords. LastPass does not possess these keys, and they are unique to each user. 
  • What are the risks from this breach?
    • The unencrypted data gives attackers information about where you have accounts. This may allow them to target those accounts for phishing campaigns, etc.
    • The encrypted data is not readily accessible to the attackers and is encrypted by 256-bit AES (Advanced Encryption Standard) encryption. Nevertheless, they do possess a copy of that encrypted data. While it is unlikely that they can decrypt this data anytime soon, there is a risk. Some analysts believe it is only a matter of time before the attackers can crack a given vault and access the encrypted data.
  • What should LastPass users do to protect themselves?
    • Change all of your passwords for accounts that are stored in LastPass. The only way to fully protect yourself from the risk of your secrets eventually becoming known is to change all passwords stored in LastPass. 
    • If you have a non-VT (personal) LastPass account, you should also change your master password for that account. 
    • If you have a VT LastPass account, make sure your VT Username and Hokies ID username and password(s) are not stored in LastPass. If they are, remove them immediately from LastPass, and change those passwords.
    • Never use your VT Username or Hokies ID passwords as the password for other accounts. 
    • Be extra vigilant when it comes to phishing attempts related to the accounts that you have in LastPass.
    • Avoid reusing passwords – if one account is compromised you can assume adversaries will try those credentials on all your other accounts. 
    • Always turn on 2-Factor Authentication for any account possible.

 

LastPass architected their service so that they do not possess your unencrypted secrets nor the keys to decrypt them. Encryption and decryption happen in the local client software on your device - this is an important layer of protection that mitigates the risk in the event that vault secrets are ever compromised. 

Password managers make it more practical to use strong passwords, but unfortunately, they are a rich target for bad actors, as we have seen with this case. The Virginia Tech IT Security Office will continue to monitor information regarding this breach. 

Additional resources:

Instructions on how to change VT passwords
Cybersecurity Awareness Tips
Links to all Cyber Security services offered through the Division of IT
LastPass Knowledge Base Article

 

 

 

 

Subject: LastPass Announcement

Dear Virginia Tech Employees,

Secure Identity Services, a unit of the Division of Information Technology, is in the process of offering LastPass accounts to all employees. LastPass is an online password management tool that makes it a lot easier to maintain a high degree of security for your accounts and to have more complex passwords. It also allows for the secure sharing of individual passwords across work or family groups. 

The rollout began this summer with an initial offering to a small number of departments.  Now we are ready to expand this service to employees in all departments. When we are ready to deploy LastPass for your senior management area, you will receive an activation email from LastPass that will allow you to claim and activate your account. Senior management areas will be added in a phased approach over the coming weeks; details are available on our site. All Virginia Tech employees are eligible for an account at no cost, and sometime next year current students will also be eligible.

If you already have a personal LastPass account using your @vt.edu email address, you should receive an invitation to join your account into the VT enterprise business account and start getting your benefits for free, if desired.  

If you have not received an email from LastPass to activate your account within a week of the date listed for your area, please open a ticket with 4Help through the website at 4help.vt.edu, or by calling (540) 231-4357. For more information and answers to frequently asked questions, visit our KnowledgeBase article on LastPass. Note that after your account becomes federated, you will log in via the LastPass browser plugin using your Hokies ID.

Ryan McDaniel
Executive Director, Secure Identity Services
Division of IT
Virginia Tech

LastPass
LastPass is a state-of-the-art password management tool that allows users to securely store and use passwords for all their websites and services. It also facilitates secure storage and sharing of shared secrets for teams. 

You can see more about the product on their website: https://www.lastpass.com/

Secure Identity Services is pleased to offer LastPass accounts to all Virginia Tech employees. A limited number of departments within Virginia Tech participated in our initial pilot rollout in the Summer of 2022 and now we are ready to expand our service offering to other organizational units. We will eventually be offering this service to all Virginia Tech employees and sometime next year to current students as well. Once an organization is included new employees in that organization will automatically receive invitations after they have either the employee state or wage affiliation.

If you already have a personal LastPass account using your @vt.edu email address, you should receive an invitation to merge your account into the VT enterprise business account and start getting your benefits for free. 

You can find more information and an FAQ in our Knowledge Base article in ServiceNow (KB0012987). Note that after your account becomes federated, you will log in via the LastPass browser plugin using your Hokies ID.

LastPass Enterprise accounts are now available for the following users:

  • Employees 
  • All Virginia Tech Employees (required affiliations: vt-employee-state, vt-employee-wage, vt-student-wage)
    • Students
    • None at this time. The exception is student workers.
  • Affiliates
    • None at this time