LastPass at HKS: Encouragement is Enough

Every day, Harvard University and its affiliates are subject to tens of thousands of attempted cyber attacks, many of which are designed to gain access to private personal information, advanced academic research, corporate data, and even sensitive government and military documents. While the perpetrators of cyber-attacks against Harvard are as varied as the “Syrian Electronic Army” and common cybercriminals, and motives range from financial interest to ideology to state-sponsored espionage, these attacks regularly exploit banal vulnerabilities like insecure passwords. In fact, according to a recent Verizon report, more than 80 percent of data breaches result from weak or compromised credentials.

This multi-billion dollar problem can’t be solved by mandating “stronger passwords.” Let’s face it: nobody likes creating or remembering multiple passwords, and certainly not multiple passwords of any complexity. An overwhelming majority of people reuse weak and easily guessed passwords, enabling hackers to gain access to multiple accounts with one set of user credentials. For many cybersecurity experts, secure password managers offer a partial solution to this epidemic of poor cyber hygiene, and several encourage large organizations to require their use.

However, mandating the use of a specific technology solution, LastPass, at the Harvard Kennedy School (HKS) would represent a dramatic intrusion into the private lives of Harvard students, faculty, and staff, who would then be encouraged to centralize all their user credentials in a single HKS-sanctioned location. While HKS can and should facilitate the use of a password management system, and educate the HKS community about their utility in guarding against data breaches, such a mandate should not be pursued.

What is LastPass, and Why Should People Use It?

As a password management system, LastPass’ core value proposition is that it provides users with a single secure online location for storing all of their usernames and passwords, which are then automatically entered whenever you need to log in to a website. Because LastPass remembers all of your user credentials, and even helps you create strong passwords for new and existing accounts, the system makes it easy to maintain a robust, compartmentalized set of login credentials across the many websites you use. As a result, if one of your accounts is hacked or suffers a data breach, then only that account is compromised. All of your other critical personal information and online accounts (i.e. banking information, health records, Social Security number email accounts, HKS accounts) remains difficult to access.

For a large, prominent institution like HKS, the costs of poor data hygiene can be even higher. Just like one weak password can enable a dedicated hacker to gain access to several poorly-protected individual accounts, one compromised HKS student, faculty, or staff account can lead to a far broader data breach. For instance, after a Dropbox employee reused a personal password at work, hackers were able to obtain the user credentials of almost 70 million people in 2012. Further, if hackers were able to gain control of one poorly-secured HKS email account, they could launch convincing phishing attacks to extract sensitive information from other HKS-affiliated individuals. As a result, the widespread use of password management systems can constitute a form of “cyber herd immunity,” where vulnerable organizations like HKS are better protected from cyber-attacks when each member has good cyber hygiene.

Then Why Not Mandate It?

To be sure, the costs of a data breach can be severe for both organizations and individuals. That said, if HKS mandates the use of LastPass for all students, faculty, and staff, that would represent a remarkable intrusion into their private digital lives, even if LastPass is a highly-regarded and independent technology solution. For this policy to be effective, individuals would need to turn over and centralize as many of their user credentials as possible within LastPass. LastPass may be more secure than their previous password management solution, but an increasingly large portion of our lives are lived and recorded online, and providing one HKS-sanctioned company with access to all of these accounts requires a great deal of trust.

Given the above, it is not unreasonable that some HKS community members would be hesitant to turn over their sensitive account information to LastPass. Furthermore, considering the importance of digital privacy rights and digital agency, it would be problematic if HKS forced them to do so. While these concerns outweigh the potential risk mitigation associated with a LastPass mandate, HKS would certainly be justified in encouraging community members to voluntarily adopt LastPass or a similarly trusted password management system.

Additionally, it is important to acknowledge that no password management system is perfectly secure, and that there are risks associated with each technology solution. For its security, LastPass relies upon a combination of a “Master Password” and two-factor authentication. While these powerful methods are substantially more secure than weak, repeated passwords across accounts, they can still be exploited, and LastPass has suffered a series of relatively minor security breaches in the past.

Final Thoughts for HKS

While HKS should pursue a LastPass mandate for students, staff, and faculty, there are a number of actions that HKS could take to encourage broader adoption of password management systems and digital hygiene. For instance, HKS could provide every incoming student and employee with a “digital hygiene checklist,” which would include actions like setting up LastPass and ensuring that your HKS passwords are completely unique. Additionally, HKS could periodically encourage community members to use a tool like Google’s “Password Checkup” to ensure that critical passwords have not been compromised.