Mandating the use of LastPass at HKS seems like a great idea. However, “mandating” doesn’t guarantee people will use the interface perfectly, so I would mandate LastPass only if:
- LastPass confers additional security benefits against the greatest threats we face beyond the status quo
- There are significant benefits if people don’t use it exactly as intended
- If those additional benefits justify any additional costs (including the costs of only using it partially or mistakenly)
- There are no better alternatives to LastPass
Gauging each of these pieces requires a systematic examination of threats, benefits and costs to users and the HKS system as a whole.
Threats
As the HKS IT department clearly states, there are several actors who target HKS and its users. These range from your standard phishing-types to entire Nation-states. Each of these actors has separate motivations. Someone with ransomware might target HKS because they think they can get a larger payoff by blackmailing their members because they belong to a high-profile institution. The Nation-states might be trying to extract confidential intelligence to serve their country’s interests.
In either case, the goal of external actors is to gain access to specific members’ accounts, whether those are the easiest to break into, the most valuable or the most gullible.
Benefits — How LastPass evades threats
LastPass provides a couple of great additions to the standard HKS security system. In addition to two factor authentication (already in place), the system encrypts all passwords on LastPass’s server so that if LastPass were ever hacked, the data would be effectively useless to hackers. This is critical for fighting Nation-state threats as well as phishing threats.
The service also makes it easier to not share passwords across accounts. There is a great risk from using the same password or minor iterations across multiple accounts because your security is then only as strong as your weakest system. LastPass facilitates using diverse passwords as people no longer have to remember each one individually.
Mandating the use of LastPass may also be an effective way to encourage people to upgrade and create better passwords. Personally, I procrastinate updating my passwords until I am prompted to do so, even when I know I should change, so this could be a good opportunity to nudge people to create more secure passwords across all their major accounts. Free from the need to memorize, people can actually create passwords that are hard to guess.
Costs of LastPass
Aside from the monetary costs, the main issues are whether LastPass creates an undue burden on people to use and whether they will use it effectively. My experience with LastPass doesn’t suggest it’s too burdensome — at the very least, it’s no worse than the status quo. However, there are some considerations about the way people might use LastPass that could potentially be a security risk. As a wise user once said, “Security at the expense of usability comes at the expense of security.”
The biggest risk is that LastPass puts all of your “eggs” in one basket. If people find out your master password to log into LastPass, then they can get access to all of your passwords and logins. And if someone uses the same master password for LastPass and all other websites (more common than you might believe), then their LastPass security is only as strong as their account with the weakest protection. While LastPass flags if you use the same password for LastPass and other websites, it doesn’t force you to change your master password. Therefore, poor use of LastPass may actually result in a worse outcome because a single compromised account could lead malicious actors to have access to every account one stores within LastPass!
The best way to mitigate this risk is mandating two-factor authentication for LastPass. That way, even if people choose sub-optimal and similar passwords across websites, malicious actors finding their master password from a weak system wouldn’t be able to log in without their phone. HKS would need to figure out how to make two factor authentication possible when people travel abroad (already an issue), but that seems like a reasonable price to pay for security.
Alternatives to LastPass
Plenty of other password manager services exist — all the tech sites from in-depth reviews of each of them. I would certainly encourage HKS to understand the differences across services to ensure we get the best deal for our money, but LastPass’s transparency and consistent service seem to be a distinguishing trait. Barring any major leak or breaking news of LastPass’s shortcomings, it seems like a great investment for HKS and one that should be mandatory.
