Playing it safe? Mandating LastPass use is not the answer
LastPass is a password manager that stores encrypted passwords online. Users create an account with their email address and master password, which are then used to generate a unique encryption key. Users’ passwords are encrypted and decrypted locally, so that LastPass never has access to the encryption key or master password. LastPass also alerts users if they use the same password for several applications and supports the generation of strong passwords. LastPass is available as a bowser extension and mobile app.
HKS has valuable assets worth protecting from capable attackers. HKS administrators collect sensitive student data, faculty are involved in critical research in technology and defense, students may be former or future influential figures, and the Harvard brand itself which may be leveraged for phishing attacks. Likely attackers include foreign state actors as well as actors with financial or political motives. Especially the former pose a security risk as they have strong technical capabilities, large financial resources, time, and enjoy legal impunity in their jurisdictions.
Using LastPass can increase the password security of the HKS community. With HarvardKey, Harvard University has a single log-in for all university-related services. If Harvard community members re-use their HarvardKey password for other websites, leaked passwords may allow attackers to get access to their Harvard accounts. A study of 28 million users found that 52% of the users have used the same passwords for different services. HKS students, faculty, and staff are likely no exception. By making the use of unique and strong passwords across services more convenient, LastPass therefore likely increases the password security of HKS. And since a compromised account poses security risks not only for the account holder but also for others in the HKS community, mandating LastPass could help internalize these externalities.
However, password security is likely not the weakest link in HKS’ cybersecurity. Guessing or obtaining a re-used password is only one way to get access to an account. A likely bigger threat for HKS is phishing, where attackers pretend an entity trusted by the target and where the use of LastPass offers little protection. Recent examples serve as a case in point. Further, HKS already requires all users to use two-factor authentication. If a new device and/or IP is used for login, users need to approve the log in attempt on their phone. Therefore, obtaining a user’s password not automatically gives attackers access to their account.
Mandating the (effective) use of LastPass is not administratively feasible. Since LastPass is used as a browser extension or app, it is difficult for the HKS IT department to verify if HKS community members actually use it. Even if it was possible to control the use of LastPass, the HKS IT department could not check if HKS community members used LastPass in ways that negate its purpose, such as creating a master password they already used for different services and/or using LastPass to store the same password for several websites.
Making LastPass mandatory may create a wrong sense of security and crowd out intrinsic motivation for security-enhancing behaviour. Phishing attempts illustrate that there is not purely technological solution for cybersecurity — human behavior is always part of the equation. If LastPass is the only mandated security tool (in addition to two-factor authentication) and thus relatively salient to users, theymay get a wrong sense of the risks posed by different threats and be less alert with phishing attacks. Making LastPass mandatory may also make users generally less motivated to take actions that enhance their online security, as they feel by using LastPass as mandated they have ‘fulfilled their duty’.
While LastPass should not be mandatory, LastPass should remain part of the IT briefing for new students, faculty, and staff. While mandating is not recommended for the reasons described, the HKS IT department should continue to feature LastPass in their security briefing. All else equal, more HKS members using LastPass means a more secure HKS even if password security is not biggest vulnerability of HKS’ cybersecurity.
This blog post was was written in response to an assignment for the course DPI-662 Digital Government: Technology, Policy, and Public Service Innovation at Harvard Kennedy School.
