Let’s imagine I hold the position of Technology Advisor at an organization called ACME Corporation. ACME Corp is in the business of making widgets of all types and sizes. ACME has grown in recent years and now has over 15,000 employees in multiple offices and working remotely across the United States.
Alike many companies across the country, ACME Corp is increasingly concerned about our information being stolen by hackers or obtained through phishing techniques. One proposed option is adopting LastPass as a way to increase our security. LastPass is a password manager that stores all of your passwords encrypted in a vault and keeps them secure. The user just has to remember one master password. LastPass can also generate complicated, long, random passwords for you to use.
Should I recommend that ACME Corp. employees adopt LastPass for their work uses? The answer is yes, with some stipulations. Here are the primary considerations:
What’s wrong with our current system?
There may be some employees at ACME Corp that have absolutely atrocious password hygiene. Remember the LinkedIn hack that took place last year? The top three passwords used are: 123456, linkedin and password. There are also likely some ACME Corp employees that use easy-to-guess personal passwords like: a pet’s name, kid’s name, office crush’s name, favorite band. You get the picture. There are very obvious patterns that humans use when creating passwords.
Furthermore, those bad passwords are likely being used across multiple accounts. And, not just across multiple work accounts! We have no reason to suspect that our ACME Corp employees are using different passwords for work than for their personal accounts. Let’s take one of our most incompetent employees — Janice in Accounting. Janice has shared her HBOGO login information with all of her book club friends, and they’ve shared it with some of their friends and family. Let’s hope that Sandra, who works at a competing widgets company, doesn’t realize that the password for Janice’s work account is the exact same as her HBOGO password!
At ACME Corp, we probably have many employees that realize the importance of creating sufficiently complicated passwords and using passwords for different accounts. That’s great! But, you might then walk into those people’s office and see post-it notes covering their computer monitor with every password for every work account clearly written out. We likely also have employees that are storing all of their different passwords unprotected in Excel spreadsheets or Word documents, or even in their unlocked iPhones. Super dangerous!
But if most of our employees have good “password hygiene” isn’t that enough?
Inevitably, some of our employees will fail to follow our advice to create strong passwords. As we found in the game Werewolf, it takes just one weak link to bring down an entire system. Just one employee at ACME Corp using a weak password could cause us to suffer a massive data breach that could not only put the survival of ACME Corp at risk, but the breach could also put personal information about our employees and customers at risk.
Okay, but what if LastPass gets hacked? Will ACME Corp be screwed?
Last June, LastPass admitted it had been the target of a hack that obtained users’ email addresses, encrypted master passwords, and the reminder words and phrases that the service asks users to create for their master password. Pretty scary, right? LastPass claims that users are protected due to the cryptographic protections placed on those passwords which would be nearly impossible to crack. Those without strong master passwords were probably more at risk.
It seems that ACME Corp would not be at risk for a hack like this given that: 1) we ensure that our users of LastPass create sufficiently strong master passwords and 2) we pair LastPass with two-factor authentication. S0, we need to ensure that our employees are using unique, strong passwords, and we should ensure that these passwords are occasionally changed.
We also need to remember that moving our system over to LastPass won’t increase our security if we aren’t identifying the weak and duplicate passwords that we are transferring over the the password manager and replacing them with tougher ones. LastPass should be able to flag weak and duplicate passwords in our system and help us create an automated process for changing the passwords.
What about when our employees get laid off or quit?
It’s likely that most of our employees at ACME Corp will not want to spend the rest of their lives making widgets. We also want to fire Janice in Accounting some day, but that means that we’ll have to change a whole lot of passwords that Janice has access to. The shared folders feature in LastPass should be a big boon to ACME Corp, by finally allowing us to share communal passwords across employees, without employees knowing what those passwords are. So once we finally fire Janice from Accounting, we don’t have to change every single password that she had access to. This should also help keep our employees from emailing passwords for shared accounts back and forth.
Will LastPass protect us against China trying to steal our widget patents?
Let’s imagine that ACME Corp has recently been the target of state-level phishing and hacking from China; they really want access to top secret designs for our widgets. The bad news is that LastPass is probably not going to protect us from that time of security breach. LastPass should be simply an integrated part of our cybersecurity strategy. We also need to train our LastPass employees to be wary of suspicious emails and to put in place measures to make it harder for our employees to leak information and/or access files that have no relation to their position.
So, in conclusion, I recommend that ACME Corp employ LastPass as a first step to increasing our security. However, we have some important items to consider: we need to ensure that our employees create sufficiently long master passwords. We also need to take steps to educate our employees on other cybersecurity threats, such as phishing. Yet, we must also remember that ACME Corp could spend all of its budget on cybersecurity and that we must think of security as only one priority area of our business. Additionally, we must also balance security with accessibility. We want our customers and employees to be able to easily access the information they need to thrive when working with or at ACME Corp.