Image by justonlysteve via Flickr
I work in an industry that deals with Protected Health Information (PHI). According to the Health Insurance Portability and Accountability Act (HIPAA) we need to apply certain measures to protect this information, and continue to improve those measures.
Over time our company has increasingly found itself turning to the Internet to retrieve information regarding patient visits, explanation of benefits, remittance advise, bank statements, etc. The list grows daily.
As this list grows, so do the accounts (username & password, and sometimes a challenge question). Keeping track of these is becoming a daunting task, and an even greater one is maintaining standards on password strength.
In the IT support world, it is common to find weak passwords and poor account management practices:
- Written on Post-it Notes pasted under keyboards or worse, on the monitor.
- Using birthdays; pet, children, sibling, or spouse pet names; common passwords.
- Failing to enforce password policies at the IT Management level.
- Poor account management policies.
- Poor Anti-Virus and Anti-Spyware/Trojan/Malware protection and update methodology.
Let's face it. Most of us are lazy when it comes to security and creating meaningful passwords. In defence of "us" I'll be the first to say it is a PITA to remember a litany of passwords, let alone having to mentally dig up or create one that is actually complex.
LastPass is a giant step forward to solving this part of "The Problem". It is quite literally one of the slickest ideas I've come across to solve this issue for our environment.
It's got many things going for it:
It's CHEAP. Free for web and browser plugin version. $12 Per year to add the Mobile version to your phone. $24 Per year per person for the Enterprise version.
Customer Service is superb.
Features for the free version:
- ONE MASTER PASSWORD. Of course, you will want this password to be VERY STRONG.
- Automatic Form Filling.
- One Click Login.
- Synchronize across browsers.
- Secure ANY type of text data.
- Share your passwords with friends.
- Export/Import from many different password repositories (Firefox, IE, KeyPass, etc.)
- Generate more secure passwords.
- Backup your passwords.
- Identities separate personal from others (like work).
- Screen keyboard to further protect your master password from keyloggers.
As noted above, if you purchase LastPass, you also get LastPass Sesame to turn your thumb drive into a MultiFactor device, and the Mobile version.
I have a rather ordinary Windows Domain, with a Terminal Server and a number of XP workstations. I wanted to enable the automated login process noted on their Enterprise pages.
What I had to do was add this line to a batch script that was added to a Group Policy that applied to a group of target computers. Specifically in Computer Configuration -> Windows Settings -> Scripts -> Startup :
lastpassfull.exe --userinstallie --userinstallff --userinstallchrome --installforallusers -j "%PROGRAMFILES%\LastPass"
The next step was to get the user logged in automatically, and have no knowledge of the master password. The reason for this is to keep them out of these accounts when not on site, protecting as best we can the PHI. This is achieved by the following line run by the users login script, which runs under their security context :
"%PROGRAMFILES%\LastPass\lastpass.exe" -dl=ihbsonline.com -cid=12345678
For those in management that needed access outside the building, I simply didn't add this line which forces them to log in manually.