Passwords are (literally) a key barrier to protect our information. For this reason, the way we define and handle our passwords is of paramount importance. Still, the efforts that we ordinary people put into creating strong passwords, randomizing them, and changing them regularly do not correspond one bit to the prominent consequence of each of these steps. Hence, companies like LastPass seek to offer their users services to facilitate the management of their passwords.
With this in mind, some organizations, such as the Harvard Kennedy School, wonder if they should make LastPass mandatory for their members. The answer to that question should be in the negative. This post will first introduce how LastPass works and then identify its main pros and cons to explain the reasons behind the stated position.
So, how do LastPass works?
LastPass is a password management software. “The great thing about LastPass is that you only have one password to remember. You create and remember your master password, and LastPass does the rest.” To do the rest, this software stores users’ data (usernames, passwords, and payment info for different services and sites) and concentrates it in a single place called “password manager vault.”
Users can download LastPass and/or integrate it into their browsers through an extension. So, when logging into a site or performing online shopping, the software auto-fills the required information with the data that it stores in the vault.
What are the benefits for users?
- Timesaving: Password autofill can help users reduce time when entering a site or making an online transaction.
- Simpler password management: The password vault can be considered a great tool that facilitates password management since it centralizes all user information in one place. In this way, you can modify and audit the multiple passwords of the sites you visit and the services you require from a single site.
What’s the other side of the coin?
- Spilling the beans: Security breaches are a concern that HKS should bear in mind. Any vulnerability that compromises LastPass can pose a big problem for users. The risk is monumental, given the fact that the information is concentrated in one place. Hence, data centralization becomes a double-edged sword. Like all software, LastPass's proper functioning depends on updating and compliance with certain settings. When this fails, the system can be compromised. LastPass states on its website that it has had experienced a single security incident. However, last year, Tavis Ormandy, a vulnerability researcher at Google, claimed that LastPass could leak the last passwords and credentials used by the user due to a cache update error.
- Pecuniary costs: Accessing and maintaining such a tool is financially costly for Harvard. The costs increase if it is considered that also the Harvard Key and the Duo Mobile authentication service are paid. While the latter only focuses on Harvard credentials information, LastPass could (in theory) prevent access to Harvard information by ensuring secure password management for its members’ personal services. However, in this world where there is no perfect compliance and where there would be no way to enforce mandatory use of LastPass, the objective of a measure like this becomes as utopic as Daenerys Targaryen thinking she would rule the seven kingdoms.
The “Economics” of Security
As Bruce Schneier has rightly stated, “security is often a trade-off with convenience.” We are faced with the security that Harvard and its members want to achieve regarding their data and the convenience of using this application. Also added to the balance is that the use of LastPass would be mandatory and the costs and risks this approach entails.
In this case, the balance outweighs the convenience versus the risks and costs of the measure. However, that does not mean that security should be compromised.
In the first place, it is not convenient for HKS to assume such a great financial cost for a measure that it cannot ensure its enforcement, as it depends on the will and management of members. Furthermore, if HKS members decide to comply with this mandatory measure fully, HKS would be seen as responsible if any of its members' information is compromised by some LastPass’ breach, for having “forced” them to use the tool.
If HKS wants to improve the password management of its members, it could follow the following recommendations.
Recommendations
- Maintain and focus its efforts on the double authentication system that the university currently has concerning Harvard credentials.
- Implement an education campaign on password management. According to the 2017 Data Breach Investigations Report, “81% of hacking-related breaches leveraged either stolen and/or weak passwords”. Hence, to address the root problem, HKS should provide training to its members on password management. This training could include the use of software as a beneficial tool to ensure both security and convenience.
