DPI 662 Memo 4
A Password Manager Is NOT A Panacea
LastPass, together with other online password managers, has been widely recommended and used. Harvard Kennedy School (HKS) also recommends it as an approach to help students, faculty, and staff better manage their online accounts and improve the HKS community's overall cybersecurity. A recent debate has arisen about whether the LastPass password manager should be made mandatory. This blog post offers some thoughts on why requiring the use of LastPass is not a panacea and may introduce additional risks.
LastPass. What is it?
LastPass is an online tool for storing, managing and sharing users’ passwords. One only needs to set up and remember a master password for LastPass to access all the accounts associated with it, such as Amazon, Google, Facebook, and LinkedIn. You can also easily share your account information (including the password) with your family or team via LastPass. Moreover, LastPass claims to monitor your account security and note you when a risk is detected.
Why is it of interest?
I bet everyone will be attracted after reading LastPass’s product description, but let’s take a closer look at why HKS recommends the use of LastPass and why it considers making it mandatory.
1. The considerable cybersecurity challenges that Harvard is facing.
Believe it or not, Harvard University experiences tens of thousands of cyberattacks every single day. As Dev A. Patel and Samuel Y. Weinstock discussed in the Harvard Crimson Piece on “Hacking Harvard,” these attacks not only target the information that passes through the Harvard IT system but also covet the power they may obtain after successfully “controlling” Harvard’s technology infrastructure. Even worse, some cybersecurity issues are not due to the relentless hackers but come from the carelessness or mistakes of the people who have access to the system. One of these examples is the client data leak that happened at the Harvard Law School in 2008.
2. The importance of protecting cybersecurity at HKS
As outlined before, Harvard faces severe cybersecurity challenges from both the “outside” and the “inside,” which is the same as HKS. A wide range of digital assets is stored in the HKS technology infrastructure, including confidential personal and organizational information, client information and transaction records, emails and other forms of communication records. Any single attack that manages to access the data can cause colossal chaos and embarrasses HKS and Harvard. Thus, improve the overall cybersecurity of the community is a definite necessity.
Among all the possible approaches, making students, faculty, and staff’s passwords more secure is a plausible direction, as the passwords hold the key to enter the HKS digital assets. Under many known circumstances, hackers do not always attack the most valuable components in your digital assets, but the most vulnerable ones. For example, let’s imagine an HKS student who works on a confidential project through an encrypted server and chooses the same password he uses for an online shopping browser extension (sounds scary but is quite common). The hacker may find it much easier to hack his password through the more vulnerable extension and gain the key to the confidential information.
3. The difficulty of managing passwords and digital assets
Simply from a user experience perspective, it is reasonable why people love password managers. It is just extremely difficult to remember all the passwords or even the usernames. The thing gets more annoying when some websites ask for special characters or capital letters in the passwords, which forces you to create many derivatives of your most-used password. Moreover, think about the last time you have to share your username and password with your family member or colleague. Did you feel worried when you share them via WhatsApp/Emails/Messages?
Why shouldn’t we make LastPass mandatory?
So far, if you agree with my arguments, you may have already searched “LastPass” on Google and probably have it installed. However, let’s take a step back and think about what risks the tool itself may bring. It turns out to be the case that these risks may keep you from using it.
1. One hacked, all hacked.
The scariest thing for a LastPass user is that his/her LastPass account is hacked. Although LastPass advertises its security and strong encryption algorithms, one still needs a master password to access their accounts, which is probably another derivative of their existing passwords. Thus, the tool does not solve the risk we discuss in the HKS student case. Moreover, in that case, even when the hacker gets the password, they still have few ideas about what accounts you have registered. However, if your master password for LastPass is hacked or simply leaked, your whole digital assets are open to hackers. Doesn’t it sound scary?
And the scenario I just described has actually happened, more than once. To learn more, check out the piece by Forbes.
2. It really depends.
Although cybersecurity experts like Bruce Schneier have been advocating password management tools, I still believe it should depend on who you are, what digital assets you access or manage, and which accounts you put on these tools (e.g., LastPass). If you only use it to manage your accounts for daily life, say Netflix, Gmail, Amazon, etc., you are probably ok. It does not mean your accounts are safe (see the last point), but the consequences of being hacked are controllable. However, suppose the use of LastPass becomes mandatory (at HKS). In that case, students, faculty, and staff are possible to store all or most of their accounts and passwords on the platform, which may introduce a new layer of vulnerability to some confidential contents.
3. What if LastPass is bankrupt?
According to the product description on the website, I realize that, once LastPass receives your accounts and passwords, it may generate long and randomized passwords for your accounts to keep it “protected.” But what will happen if LastPass is bankrupt one day? Am I still able to access my accounts? Do I have to go through a long and tedious “Reset Your Password” process?
Given the risks and potential consequences, I recommend HKS not to make LastPass mandatory for students, faculty, and staff. However, they can still keep it as a recommended option. I also urge the IT department of HKS/Harvard to explain the potential risks of LastPass, which may help members of the Harvard community to make better and more suitable decisions.