Should my organization mandate the use of Lastpass?
In general it is smart to install a password manager application. In today’s world every person has hundreds of usernames and passwords and without a password manager it is very likely that one will choose a weak password and use it over and over again.
One of the most celebrated password manager applications is Lastpass — a user friendly application that can be used across different devices. Lastpass can create upon demand strong passwords and launch sites using the stored login information. These features can not only eliminate the frustrating situations of forgetting a password but could also make sure that strong passwords are being used.
Given these characteristics it I not surprising that several organizations, among them the distinguished Harvard University, encouraged their members to use this application.
A few months ago I was tasked, as head of IT in my organization, to recommend the management team whether we should mandate our workers to use Lastpass. After Taking David Eaves course at HKS and after playing the game Werewolf I came to the conclusion that it would not be a wise shift for our organization. Based on my understanding, mandating our workers to use Lastpass will expose them and the organization to the following risks:
1. The more clients Lastpass have, the more credible organizations encourage or mandate their members to use Lastpass, the more it becomes a target for hackers. Indeed it is not surprising that at least one hacking incident happened in the past few years. Lastpass is a target for several reasons: First and foremost Lastpass possess many millions of valid passwords all stored it one place. Second, hackers might assume that the password owners are relatively wealthy given that many of them are willing to pay for the service. Lastpass is an ideal target not only for professional hackers who want to nick money, but even to national intelligence organizations that possess sophisticated hacking technologies. It is possible that these organizations have enough resources to overcome Lastpass encryption as sophisticated as it might be. The Clinton E-mail Scandal can signal us the possible implications of a simple Gmail hack and the many interests different organizations have to obtain these passwords.
2. Here is a story that happened to me just a few weeks ago: I happened to lose my Ipad in a public facility. Because I used at that same day the Lastpass app it was opened on the device. I found out that I lost my Ipad only later that day and theoretically a person that would find my Ipad could have gained access to all of my login websites including banking apps. This can happen to anyone with little to do against it.
3. One of the great advantages of Lastpass is the fact that it can automatically generate and store strong passwords which is one of the main reasons to use Lastpass in the first place. The problem is that now you created a dependency. It is more than likely that this dependency will have an increasing cost the more passwords are installed and the longer you are using this app. This dependency is something Lastpass is not only aware of but actually strive to create and at some point it is very likely that Lastpass will take advantage of.
4. If you are launching sites from the app you are exposing yourself to another risk — Lastpass is now monitoring your preferences and can sell this information to commercial bodies. Like we learned in class, if you are getting a service for free or for a very low cost it is more likely that you are the product.
5. The last issue I want to point out is the fact that in order to log-in to Lastpass you need to create a password. This password once hacked can give a person the access to hundreds of passwords already conveniently categorizes. If a person chooses a weak password to log-in to Lastpass which is very likely to happen, than not only we did not solve the problem we had but rather we created a bigger problem because now cracking one password is enough to get a hold of all of your passwords. As Bruce Schneier, an independent security expert, mentioned in an Economist article on the issue “today’s password crackers can test tens — even hundreds — of millions of passwords per second.” In short, the vast majority of passwords used in the real world can be guessed in minutes.”
For all of the reasons above, it is my recommendation to our organization to mandate our workers to choose themselves strong passwords and store them in safe places and not to mandate them to use Lastpass.