Duke University is one of the most storied and prestigious learning institutions in the United States. Duke and its healthcare arm, Duke University Health System, are home to tens of thousands of students and employees.
With so many coming and going from the Duke campus every day – and accessing Duke’s many state-of-the-art services within its digital network – security is a top priority for Duke’s Office of Information Technology (OIT). And like any IT department head, IT Security Office senior manager Nick Tripp knows that password security is the backbone of a sound security approach.
“Password managers make life easier, more secure. We’re all aware that the main problem with passwords is it’s hard for users to create strong passwords,” Tripp says.
The trick, though, is getting everyone to use their password manager to generate and store strong passwords. Having adopted a 1Password competitor years ago, many on campus simply didn’t use it. And even those that did struggled to integrate it into their daily workflows.
“We discovered groups weren’t doing [password management] properly. At least five groups were logging into the same account and just using one vault,” Tripp says. “We discovered that most people were just using their personal accounts. They weren’t necessarily storing Duke data. If they were, it was all mixed together. We had very few IT support groups using it in a coordinated way.”
Maximizing adoption with 1Password’s legendary ease of use
Tripp knew there was a better way, because he personally used 1Password. He could attest to the ease of use thanks to the “native apps, the user experience, and the integration between those two,” Tripp says. “I personally use it for all of my own accounts and had a 1Password Families account prior to this. That’s shared between me, my wife, my two kids, and my mother-in-law to make sure that good password hygiene is happening.”
And he wasn’t the only one. Tripp explored other password management options “for the sake of due diligence, but enough people used 1Password personally that we knew what the best option was.”
If Duke was going to shore up its password management, a change was in order. “We got approval from both CISOs [of Duke University and Duke University Health System]. Then we got approval from our CIO and IT advisory committee, and similar governing bodies.”
Great security starts with a great user experience
The results were more than Tripp had hoped for. “We’ve seen significant uptake from staff and students. We tripled enrollment during the migration from our previous password manager,” he says.
And because IT finds it easier to manage, the implementation is more focused and deliberate. “My team and the Health Security Office are doing training and onboarding groups. We’ll spend an hour initially and come back and do 30-minute sessions as needed. We’ve found that once people understand the concepts, which doesn’t take long, it’s a really smooth transition. I’d chalk that up to the user experience in 1Password, which we clearly think is superior to every other product we’ve looked at,” Tripp says.
They also created shared docs and knowledge base articles internally, he says, “and honestly, most of that is just linking out to your existing documentation and online learning.”
The focus on strong cross-platform support also helps, because everyone gets the same experience on every device. “We have a lot of Mac users, but we’re also very diverse in terms of computing. Lot of Windows devices, too, and a lot of other orgs like Engineering use Linux,” Tripp says.
A win for usability is a boon for security. “We have more people than ever doing password management – by a lot – which is a win for security overall,” Tripp says.
And what if he had to go back to the old way of doing things? It’s a non-starter, he says. “I have about 2000 individual items for me personally, and I maybe know three of those passwords.”