​

Why is it of interest?

 

I bet everyone will be attracted after reading LastPass’s product description, but let’s take a closer look at why HKS recommends the use of LastPass and why it considers making it mandatory.

 

1. The considerable cybersecurity challenges that Harvard is facing. 

 

Believe it or not, Harvard University experiences tens of thousands of cyberattacks every single day. As Dev A. Patel and Samuel Y. Weinstock discussed in the Harvard Crimson Piece on “Hacking Harvard,” these attacks not only target the information that passes through the Harvard IT system but also covet the power they may obtain after successfully “controlling” Harvard’s technology infrastructure. Even worse, some cybersecurity issues are not due to the relentless hackers but come from the carelessness or mistakes of the people who have access to the system. One of these examples is the client data leak that happened at the Harvard Law School in 2008. 

 

2. The importance of protecting cybersecurity at HKS

 

As outlined before, Harvard faces severe cybersecurity challenges from both the “outside” and the “inside,” which is the same as HKS. A wide range of digital assets is stored in the HKS technology infrastructure, including confidential personal and organizational information, client information and transaction records, emails and other forms of communication records. Any single attack that manages to access the data can cause colossal chaos and embarrasses HKS and Harvard. Thus, improve the overall cybersecurity of the community is a definite necessity. 

 

Among all the possible approaches, making students, faculty, and staff’s passwords more secure is a plausible direction, as the passwords hold the key to enter the HKS digital assets. Under many known circumstances, hackers do not always attack the most valuable components in your digital assets, but the most vulnerable ones. For example, let’s imagine an HKS student who works on a confidential project through an encrypted server and chooses the same password he uses for an online shopping browser extension (sounds scary but is quite common). The hacker may find it much easier to hack his password through the more vulnerable extension and gain the key to the confidential information.

 

3. The difficulty of managing passwords and digital assets 

 

Simply from a user experience perspective, it is reasonable why people love password managers. It is just extremely difficult to remember all the passwords or even the usernames. The thing gets more annoying when some websites ask for special characters or capital letters in the passwords, which forces you to create many derivatives of your most-used password. Moreover, think about the last time you have to share your username and password with your family member or colleague. Did you feel worried when you share them via WhatsApp/Emails/Messages?

 

Why shouldn’t we make LastPass mandatory?

 

So far, if you agree with my arguments, you may have already searched “LastPass” on Google and probably have it installed. However, let’s take a step back and think about what risks the tool itself may bring. It turns out to be the case that these risks may keep you from using it.

 

1. One hacked, all hacked. 

 

The scariest thing for a LastPass user is that his/her LastPass account is hacked. Although LastPass advertises its security and strong encryption algorithms, one still needs a master password to access their accounts, which is probably another derivative of their existing passwords. Thus, the tool does not solve the risk we discuss in the HKS student case. Moreover, in that case, even when the hacker gets the password, they still have few ideas about what accounts you have registered. However, if your master password for LastPass is hacked or simply leaked, your whole digital assets are open to hackers. Doesn’t it sound scary?

 

And the scenario I just described has actually happened, more than once. To learn more, check out the piece by Forbes.

​