On Using Password Managers in Harvard

I believe Harvard should highly recommend both its students and employees to use a password manager.

In this blog post I will claim that:

  1. Using a password manager has a great security value for Harvard (both students and employees). I will do this by modelling the threats and analyze possible solutions.
  2. However, it is impossible to enforce the usage of password manager, so it can’t be made mandatory.
  3. Still, there are effective actions Harvard can take to increase the adaptation of password managers among its users.

LastPass

LastPass is a one of the most widely used password managers. Its aim is to solve the major problem with passwords: people tend to use weak password and reuse them across different services in order not to forget them. To solve this, LastPass “remembers” all the password for you and saves them to the cloud so they can be accessed across devices. All of your passwords are stored encrypted and protected by a single “master password” (LastPass also supports two-factor authentication). When creating a new password, LastPass also assists by generating a “strong” random password.

LastPass — Security Considerations

LastPass major advantage is that it helps users use strong and different passwords for every website. In that way, if a password for one web service is stolen or reveled it does not affect the security of other web services. It also prevents my passwords from being cracked by an attacker by assisting in generating strong random password.

However, with these benefits comes a new drawback: all of the user’s passwords are now being stored in one place. This means that if, for example, an attacker obtains access to a computer on which LastPass is installed he then have access to all of this user’s web passwords (the attacker should still obtain the master password but this can be done by using a keyboard sniffer, for example).

Password Managers Pros and Cons

Harvard — Threat Modeling

In order to analyze the security benefits of using password managers for Harvard, I will start by modelling the threats — who do we want to protect and from whom.

Protect who:

  1. Students
  2. Faculty
  3. Staff

Protect from:

  1. Hackers / criminals — Non-targeted attacks. In this case the attacker tries to exploit as many computers as he can, usually in order to steal information (credit card numbers, bank accounts, passwords, etc.). By chance, one of the victims might be a Harvard student or employee. Such attackers usually use less sophisticated exploitation technology as they go after the masses (statistically some computers are less protected then the others).
  2. State actors — Targeted attacks. In contrast to non-targeted attacks, a state actor usually goes after a specific target and in order to steal a specific information. Such attackers have much more capabilities, not only because they are familiar with their target, but also because they usually have higher technical capabilities (vulnerabilities for the initial penetration, stealth capabilities, etc).
  3. Students — Too ambitious students might try to hack faculty in order to gain various benefits (changing grades, stealing exams, etc) so this is another threat that should be taken under consideration. Even though this can be considered as a type of targeted attack, the technical capabilities of such students will probably be not very high (in comparison with a government led organization).

The Security Value of Password Managers to Harvard

Now that we know who we want to protect and from whom, we can continue with analyzing the security value that LastPass (and other password managers) offers. As I have explained earlier, password managers are great for security, but they introduce a new threat because now all of the passwords are being kept in one place. Gaining an access to a computer on which LastPass is installed is a “JackPot”. However, having such an access is not an easy task. It will usually require a targeted phishing attack, the usage of zero-day vulnerabilities (because the most widely used operating systems are automatically updated) and an APT that can overcome antivirus/anti-malware programs most of the users are using. It is very rare for internet criminals or hackers to have such capabilities. Thus, the major threat that LastPass introduced (access to a computer == access to all the passwords) is much more relevant to state actors than it is to criminals and other attackers.

The following table summarizes the various threats and how LastPass can assist in protecting against them:

The Security Value of Password Managers to Harvard

It is less likely to see state actors goes after students. Harvard’s employees are more likely targets and if this was the only threat in front of us I would recommend not using LastPass. However, in the context of Harvard, it is most likely the attacker will be a hacker (or student) with less technical capabilities, thus the advantages of using LastPass are greater than the disadvantage. This is why my bottom line recommendation is to use password managers in Harvard.

Do Not Make Mandatory Something You Can’t Enforce

Both students and employees connect to the Harvard network with their own devices. It is technically impossible to enforce the usage of a password manager by them. Though there are technologies that allows clients to connect to the network only if they have specific program installed (NAP, for example) it still does not mean that people will actually use the product.

From my experience I have learnt that it is usually a bad idea to make mandatory something that cannot be enforced. It results in everyone thinking that all others are “criminals” and degrades the power of future decisions and orders issued. Making mandatory without being able to enforce is not a good idea. If there will be some magical way to 100% enforce the installation and usage of LastPass I would recommend having it mandatory. Until then, lets keep it as a warm recommendation.

Summary and Action Items

Harvard should highly recommend both its students and employees to use a password manager.

Because it is (technically) impossible to make it mandatory, Harvard should make as much efforts as possible to encourage its users to use this technology.

There are effective actions Harvard can take to increase the adaptation of such password managers among its users:

  1. Education — Make users (students and employees) understand the importance and value. This can be done by emails from IT, posters across campus, etc.
  2. Ease of Use — Make it easy for the users to download, install and use the software. This includes subsidizing it and offering in-house technical support.

One Final Note — It All Depends on Who We Want To Protect From

My recommendation is based Harvard’s threat analysis. It may be different for other organization with different set of threats. For example, for a large government organization my recommendation would be the exact opposite — do not use a password manager — as the main threat to such an organization are state actors whose main objective is to obtain access to individual computers. Given such an access to a computer on which LastPass is used will result in the attacker obtaining all of that user’s passwords.

— HKS CIO