What is LastPass?
LastPass is a password manager that stores all of your usernames and passwords in a central place called the Vault and can be added as an extension to your browser. After saving your passwords in the Vault, LastPass will remember it for you and enter your username and password whenever you need to log in to a website.
What problem is LastPass or any other password manager solving?
1. Increased convenience: You don’t have to remember your passwords
- You can use stronger and more complicated passwords
- Unique passwords for every website you access
- Increased security across all services you use
2. Stronger security: More than storing passwords
- Store credit card information
- Generate random passwords
- LastPass’s Security Challenge can help you identify weak and duplicated passwords that should be changed
3. Additional time saved: Fast access
- People will never enter a wrong password again and have to spend time figuring out which password they used
- Password managers allow people to have each access point automatically populated with a username and password
Problems with LastPass/password managers
- You have to be comfortable with the way data is being stored by the password manager and completely trust their encryption as you are essentially putting all your eggs in one basket, including your credit card numbers.
- Once you use a password manager, you are giving up control over the passwords to the password manager as they are all stored on a server in a central place.
- Phishing attacks are still highly feasible if you are tricked into installing a malicious app or click on a link, it will be able to present itself as a legitimate option on the autofill prompt and there is a high chance that your password manager automatically fills out your password in/on the malicious app/website.
- According to researchers from the Department of Computer Science at the University of York, many password managers are also susceptible to URL mismatch, thus the autofill function can be exploited.
Why should HKS make LastPass mandatory?
Faculty members and students come from all kinds of backgrounds, ranging from the government’s intelligence unit to tech companies to medical fields and many of them are doing highly confidential research, working on things that require superior protection, and have access to many websites that might have sensitive data such as medical records of patients or a government’s foreign policy strategy. Furthermore, HKS staff and students also have access to a wide range of costly resources such as the library, magazine subscriptions, software applications.
Pros for why HKS should make LastPass mandatory
If a hacker has access to one of the HKS members’ email account, they can also use that to send out phishing emails to the whole HKS community as an email sent out from an HKS member is less suspicious and more trustworthy. The HKS community is only as safe as the weakest link in the entire network so knowing the password of only one of the members, it can already cause severe damage to the entire faculty and even Harvard University as a whole.
Cons for why HKS should not make LastPass mandatory
If the entire HKS community uses LastPass, then LastPass becomes a single point of failure which can be very easy to target. Once someone compromises LastPass, they will have access to all of our passwords and unique identifiers and can use them to unlock all of the websites and services we use.
What responsibility does HKS have if someone’s password is leaked/hacked?
HKS can recommend people to use a password manager like LastPass but is not responsible for any damage created if a hacker receives access to an HKS member’s account.
Even if LastPass is mandatory, there will be no perfect compliance and there is no effective way for HKS to check whether and how many people actually use LastPass in their daily lives.
Conclusion and Recommendation
Rather than making LastPass mandatory and HKS paying for a service that people do not use, it would be way more secure if everyone uses a different password manager so that in case LastPass or another password manager is being compromised, it does not affect the entire HKS community. In addition to the security argument, HKS does not have the responsibility of making sure people use secure passwords and protect their various accounts. HKS also does not have the authority to mandate people to use a specific service if other password managers do the same job.
The bottom line is: HKS should make people aware of the risks of password leakage and recommend people to use strong and unique passwords for each of the websites/apps/services they use. HKS staff, faculty, and students should choose a service and a way that works best for them to protect their passwords and digital life, and using a password manager is a great way to do that but please do not all use the same one.
